CIDS organizes all the signatures into a series. When an
alarm is sent, the signature that generated the alarm is also sent. The Event
Viewer displays not only the alarm, but also the signature ID. While recognizing
every signature ID that could generate an alarm would be difficult, you can tell
from the series of the signature what type of signature was matched. Cisco has
organized the signatures to allow for easier identification.
Each of the series is a collection of related signatures. The
signature series are 1000, 2000, 3000, 4000, 5000, 6000, 8000, and 10000. The
following is a list of all the signature series and the signatures found in
each.
|
STUDY TIP |
Be aware of each signature series and the type of traffic
monitored by each. |
1000 Series Signatures—IP Signatures
Includes the following:
-
IP Options
-
IP fragmentation
-
Bad IP Packets
2000 Series Signatures—ICMP Signatures
Includes the following:
-
ICMP Traffic Records
-
Ping Sweeps
-
ICMP Attacks
3000 Series Signatures—TCP Signatures
Includes the following:
4000 Series Signatures—UDP Signatures
Includes the following:
-
UDP Traffic Records
-
UDP Port Scans
-
UDP Attacks
-
UDP Applications
5000 Series Signatures—Web (HTTP) Signatures
Includes the following:
6000 Series Signatures—Cross Protocol Signatures
Includes the following:
-
DNS Attacks
-
RPC Service Attacks
-
Authentication Failures
-
Loki Attacks
-
Distributed DoS Attacks
8000 Series Signatures—String Match Signatures
Includes the following:
-
Custom String Matches
-
TCP Applications
10000 Series Signatures—ACL Policy Violation
Signatures
Includes the following:
Sections
Comments (0 posted)
Syndication
