Signature Implementations
The signature implementations of CIDS signatures come in two
types: every signature is either context based or content based. Each of these
two types of signature implementations describes which part of the TCP/IP packet
is examined.
Context-Based Signatures
Context-based signatures are triggered
based on the data contained in the packet header. Information included in the IP
headers is used to trigger a context-based signature. The information examined
by context-based signatures includes the following:
-
IP Options
-
IP Fragmentation Parameters
-
TCP Flags
-
IP Protocol Field
-
IP, TCP, and UDP Checksums
-
IP Addresses
-
Port Numbers
Content-Based Signatures
Content-based signatures search the
data portions of the TCP/IP packet, looking for a match. Table 26-1 lists example
signatures of the signature definition used to detect these attacks.
Table 26-1: Content- and Context-Based
Signatures
|
Signature Name |
Signature Implementation |
|
ICMP Echo Request |
Content |
|
ICMP Net Sweep w/ Echo |
Context |
|
WWW IIS Unicode |
Content |
|
TFN Client Request |
Content |
Signature
Structure
As previously discussed, signature implementations deal with
packet headers and packet payloads. The structure of the signatures deals with
the number of packets that must be examined to trigger an alarm. Two types of
signature structures exist and these are as follows:
Atomic Structure
Some attacks can be detected by matching IP header
information (context based) or string information contained in a single IP
packet (content based). Any signatures that can be matched with a single packet
fall into the atomic category. Because atomic signatures examine individual
packets, there’s no need to collect or store state information.
An example of an atomic signature is the SYN-FIN signature
(signature ID 3041). This signature looks for packets that have both the SYN and
FIN flags set. The SYN flag indicates this is a packet
attempting to begin a new connection. The FIN flag
indicates this packet is attempting to close an existing connection. These two
flags shouldn’t be used together and, when they are, this is an indication some
intrusive activity might exist.
Composite Signatures
Composite signatures require a series
of multiple packets to match before an alarm is triggered. Because composite
signatures require multiple packets to make a match, the sensor must also keep
state information describing the packets that were previously examined. If the
sensor analyzes a packet that begins to match a composite signature, the sensor
must record this information while it examines additional traffic to complete
the signature match.
An example composite signature is the IP fragments overlap
signature (signature ID 1103). The sensor must examine multiple IP fragments to
discover an overlap between two or more IP fragments. Because this signature
requires the examination of multiple packets to trigger an alarm, this is a
composite structure signature.
1779 times read
|
|
|
Did you enjoy this article?
(total 0 votes)
|
Sections
Comments (0 posted)
Syndication
