Appendix A: IOS Firewall IDS Signature List
This appendix includes a complete list of Cisco IOS Firewall IDS signatures. A signature detects patterns of misuse in network traffic. The 59 intrusion−detection signatures included in the Cisco IOS Firewall software represent the most common network attacks and information−gathering scans that should be considered intrusive activity in an operational network.
The signatures in Table A.1 are listed in numerical order by their signature number in the Cisco Secure IDS Network Security Database (NSD).
Table A.1: IOS Firewall Network Security Database signatures.
NSD Number |
Description |
Type |
|
1000 |
IP options−Bad |
Signature is triggered by receipt of an IP datagram in which |
Info, Atomic |
Option List |
the list of IP options in the IP datagram header is incomplete. |
|
|
|
|
|
|
1001 |
IP |
Signature is triggered by receipt of an IP datagram with the |
Info, Atomic |
options−Record Packet |
Record Packet Route chosen or option 7. |
|
|
Route |
|
|
|
|
|
|
|
1002 |
IP |
Signature is triggered by receipt of an IP datagram with the |
Info, Atomic |
options−Timestamp |
timestamp option chosen. |
|
|
|
|
|
|
1003 |
IP |
Signature is triggered by receipt of an IP datagram in which |
Info, Atomic |
options−Provide |
the IP option list for the datagram includes security options. |
|
|
s,c,h,tcc |
|
|
|
|
|
|
|
1004 |
IP options−Loose |
Signature is triggered by receipt of an IP datagram where the Info, Atomic |
|
Source Route |
IP option list for the datagram includes Loose Source Route. |
|
|
|
|
|
|
1005 |
IP |
Signature is triggered by receipt of an IP datagram where the Info, Atomic |
|
options−SATNET ID |
IP option |
|
|
|
|
|
|
1005 |
IP |
list for the datagram includes SATNET stream identifier. |
Info, Atomic |
options−SATNET ID |
|
|
|
(continued) |
|
|
|
|
|
|
|
1006 |
IP options−Strict |
Signature is triggered by receipt of an IP datagram in which |
Info, Atomic |
Source Route |
the IP option list for the datagram includes Strict Source |
|
|
|
|
Route. |
|
|
|
|
|
1100 |
IP Fragment |
Signature is triggered when any IP datagram is received with |
Attack, |
Attack |
the "more fragments" flag set to 1 or if there is an offset |
Atomic |
|
|
|
indicated in the offset field. |
|
266
1101 |
Unknown IP |
Signature is triggered when an IP datagram is received with |
Attack, |
Protocol |
the protocol field set to 101 or greater, which are undefined |
Atomic |
|
|
|
or reserved protocol types. |
|
|
|
|
|
1102 |
Impossible IP |
Signature is triggered when an IP packet arrives with the |
Attack, |
Packet |
source address equal to the destination address. |
Atomic |
|
|
|
|
|
2000 |
ICMP Echo Reply |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
|
|
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
type field in the ICMP header set to 0 (Echo Reply). |
|
|
|
|
|
2001 |
ICMP Host |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Unreachable |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
|
type field in the ICMP header set to 3 (Host Unreachable). |
|
|
|
|
|
2002 |
ICMP Source |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Quench |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
|
type field in the ICMP header set to 4 (Source Quench). |
|
|
|
|
|
2003 |
ICMP Redirect |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
|
|
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
type field in the ICMP header set to 5 (Redirect). |
|
|
|
|
|
2004 |
ICMP Echo |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Request |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
|
type field in the ICMP header set to 8 (Echo Request). |
|
|
|
|
|
2005 |
ICMP Time |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Exceeded for a |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
Datagram |
type field in the ICMP header set to 11 (Time Exceeded for a |
|
|
|
|
Datagram). |
|
|
|
|
|
2006 |
ICMP Parameter |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Problem on Datagram |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
|
type field in the ICMP header set to 12 (Parameter Problem |
|
|
|
on Datagram). |
|
|
|
|
|
2007 |
ICMP Timestamp |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Request |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
|
type field in the ICMP header set to 13 (Timestamp |
|
|
|
Request). |
|
|
|
|
|
2008 |
ICMP Timestamp |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Reply |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
|
type field in the ICMP header set to 14 (Timestamp Reply). |
|
267
2009 |
ICMP Information |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Request |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
|
type field in the ICMP header set to 15 (Information |
|
|
|
Request). |
|
|
|
|
|
2010 |
ICMP Information |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Reply |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
|
type field in the ICMP header set to 16 (Information Reply). |
|
|
|
|
|
2011 |
ICMP Address |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Mask Request |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
|
type field in the ICMP header set to 17 (Address Mask |
|
|
|
Request). |
|
|
|
|
|
2012 |
ICMP Address |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Mask Reply |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
|
type field in the ICMP header set to 18 (Address Mask |
|
|
|
Reply). |
|
|
|
|
|
2150 |
Fragmented ICMP Signature is triggered when an IP datagram is received with |
Info, Atomic |
|
Traffic |
the "protocol" field in the IP header set to 1 (ICMP) and either |
|
|
|
|
the More Fragments Flag set to 1 (ICMP) or an offset |
|
|
|
indicated in the offset field. |
|
|
|
|
|
2151 |
Large ICMP |
Signature is triggered when an IP datagram is received with |
Info, Atomic |
Traffic |
the "protocol" field in the IP header set to 1 (ICMP) and the |
|
|
|
|
IP length greater than 1024. |
|
|
|
|
|
2154 |
Ping of Death |
Signature is triggered when an IP datagram is received with |
Attack, |
Attack |
the protocol field in the IP header set to 1 (ICMP), the Last |
Atomic |
|
|
|
Fragment bit is set, and (IP offset * 8 ) + (IP data length) > |
|
|
|
65535. Where the IP offset (which represents the starting |
|
|
|
position of this fragment in the original packet, and which is |
|
|
|
in 8−byte units) plus the rest of the packet is greater than the |
|
|
|
maximum size for an IP packet. |
|
|
|
||
3040 |
TCP−no bits set in Signature is triggered when a TCP packet is received with no Attack, |
||
flags |
|
bits set in the flags field. |
Atomic |
|
|
|
|
3041 |
TCP−SYN and |
Signature is triggered when a TCP packet is received with |
Attack, |
FIN bits set |
both the SYN and FIN bits set in the flag field. |
Atomic |
|
|
|
|
|
3042 |
TCP−FIN bit with |
Signature is triggered when a TCP packet is received with |
Attack, |
no ACK bit in flags |
the FIN bit set but with no ACK bit set in the flags field. |
Atomic |
|
|
|
|
|
268
3050 |
Half−open SYN |
Signature is triggered when multiple TCP sessions have |
Attack, |
Attack/ SYN Flood |
been improperly initiated on any of several well−known |
Compound |
|
|
|
service ports. Detection of this signature is currently limited |
|
|
|
to FTP, Telnet, HTTP, and email servers. |
|
|
|
|
|
3100 |
Smail Attack |
Signature is triggered on the "smail" attack against |
Attack, |
|
|
SMTP−compliant email servers. |
Compound |
|
|
|
|
3101 |
Sendmail Invalid |
Signature is triggered on any mail message with a pipe |
Attack, |
Recipient |
symbol (|) in the recipient field. |
Compound |
|
|
|
|
|
3102 |
Sendmail Invalid |
Signature is triggered on any mail message with a pipe |
Attack, |
Sender |
symbol (|) in the "From:" field. |
Compound |
|
|
|
|
|
3103 |
Sendmail |
Signature is triggered when expn or vrfy commands are |
Attack, |
Reconnaissance |
issued to the SMTP port. |
Compound |
|
|
|
|
|
3104 |
Archaic Sendmail |
Signature is triggered when wiz or debug commands are |
Attack, |
Attacks |
issued to the SMTP port. |
Compound |
|
|
|
|
|
3105 |
Sendmail Decode |
Signature is triggered on any mail message with ": decode@" Attack, |
|
Alias |
|
in the header. |
Compound |
|
|
|
|
3106 |
Mail Spam |
Signature counts number of Rcpt to: lines in a single mail |
Attack, |
|
|
message and sends an alarm after a user−definable |
Compound |
|
|
maximum has been exceeded (default is 250). |
|
|
|
|
|
3107 |
Majordomo |
Signature when a bug in the Majordomo program allows |
Attack, |
Execute Attack |
remote users to execute arbitrary commands at the privilege |
Compound |
|
|
|
level of the server. |
|
|
|
|
|
3150 |
FTP Remote |
Signature is triggered when someone tries to execute the |
Attack, |
Command Execution |
FTP SITE command. |
Compound |
|
|
|
|
|
3151 |
FTP SYST |
Signature is triggered when someone tries to execute the |
Attack, |
Command Attempt |
FTP SYST command. |
Compound |
|
|
|
|
|
3152 |
FTP CWD <root |
Signature is triggered when someone tries to execute the |
Attack, |
|
|
CWD <root command. |
Compound |
|
|
|
|
3153 |
FTP Improper |
Signature is triggered if a port command is issued with an |
Attack, |
Address Specified |
address that is not the same as the requesting host's |
Atomic |
|
|
|
address. |
|
|
|
|
|
269
3154 |
FTP Improper |
Signature is triggered if a port command is issued with a data Attack, |
|
Port Specified |
port specified that is less than 1024 or greater than 65535. |
Atomic |
|
|
|
|
|
4050 |
UDP Bomb |
Signature is triggered when the UDP length specified is less |
Attack, |
|
|
than the IP length specified. |
Atomic |
|
|
|
|
4100 |
Tftp Passwd File |
Signature is triggered on an attempt to access the passwd |
Attack, |
|
|
file via TFTP. |
Compound |
|
|
|
|
6100 |
RPC Port |
Signature is triggered when attempts are made to register |
Info, Atomic |
Registration |
new RPC services on a target host. |
|
|
|
|
|
|
6101 |
RPC Port |
Signature is triggered when attempts are made to unregister |
Info, Atomic |
Unregistration |
existing RPC services on a target host. |
|
|
|
|
|
|
6102 |
RPC Dump |
Signature is triggered when an RPC dump request is issued |
Info, Atomic |
|
|
to a target host. |
|
|
|
|
|
6103 |
Proxied RPC |
Signature is triggered when a proxied RPC request is sent to |
Attack, |
Request |
the portmapper of a target host. |
Atomic |
|
|
|
|
|
6150 ypserv Portmap |
Signature is triggered when a request is made to the |
Info, Atomic |
|
Request |
portmapper for the YP server daemon (ypserv) port. |
|
|
|
|
|
|
6151 ypbind Portmap |
Signature is triggered when a request is made to the |
Info, Atomic |
|
Request |
portmapper for the YP bind daemon (ypbind) port. |
|
|
|
|
|
|
6152 yppasswdd |
Signature is triggered when a request is made to the |
Info, Atomic |
|
Portmap Request |
portmapper for the YP password daemon (yppasswdd) port. |
|
|
|
|
|
|
6153 ypupdated |
Signature is triggered when a request is made to the |
Info, Atomic |
|
Portmap Request |
portmapper for the YP update daemon (ypupdated) port. |
|
|
|
|
|
|
6154 ypxfrd Portmap |
Signature is triggered when a request is made to the |
Info, Atomic |
|
Request |
portmapper for the YP transfer daemon (ypxfrd) port. |
|
|
|
|
|
|
6155 mountd Portmap |
Signature is triggered when a request is made to the |
Info, Atomic |
|
Request |
portmapper for the mount daemon (mountd) port. |
|
|
|
|
|
|
6175 rexd Portmap |
Signature is triggered when a request is made to the |
Info, Atomic |
|
Request |
portmapper for the remote execution daemon (rexd) port. |
|
|
|
|
|
|
6180 rexd Attempt |
Signature is triggered when a call to the rexd program is |
Info, Atomic |
|
|
|
made. |
|
270
|
6190 statd Buffer |
Signature is triggered when a large statd request is sent. |
Attack, |
|
|
Overflow |
This could be an attempt to overflow a buffer and gain |
Atomic |
|
|
|
access to system resources. |
|
|
|
|
|
|
|
|
8000 FTP Retrieve |
Signature is triggered on the string "passwd" issued during |
Attack, |
|
|
Password File SubSig |
an FTP session. |
Atomic |
|
|
ID: 2101 |
|
|
|
|
|
|
|
|
271