518 Appendix A • Cisco IDS Sensor Signatures ■ 2154-Ping of Death Attack:This signature fires when a IP datagram is received with the protocol field of the IP header set to 1(ICMP), the Last Fragment bit is set, and ( IP offset * 8 ) + ( IP data length) > 65535 that is to say, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8 byte units) plus the rest of the packet is greater than the maximum size for an IP packet.This indicates a DOS attack. ■ 2155-Modem DoS:This signature fires when a series of three pluses (+) in an ICMP packet. TCP Signatures 3000 Series TCP signatures are specific to TCP activity. TCP requires a three-way-handshake and several of the signatures are compared to the TCP traffic on the network. Other activity that is examined is scans, sweeps, and attacks that attempt to make connec- tions to systems using TCP over specific ports. Some of these signatures even take into consideration bad or abnormal TCP packets. ■ 3001-TCP Port Sweep:This signature fires when a series of TCP connec- tions to a number of different privileged ports (having port number less than 1024) on a specific host have been initiated. ■ 3002-TCP SYN Port Sweep:This signature fires when a series of TCP SYN packets have been sent to a number of different destination ports on a spe- cific host. ■ 3003-TCP Frag SYN Port Sweep:This signature fires when a series of frag- mented TCP SYN packets are sent to a number of different destination ports on a specific host. ■ 3005-TCP FIN Port Sweep:This signature fires when a series of TCP FIN packets have been sent to a number of different privileged ports (having port number less than 1024) ports on a specific host. ■ 3006-TCP Frag FIN Port Sweep:This signature fires when a series of frag- mented TCP FIN packets have been sent to a number of different privileged ports (having port number less than 1024) destination ports on a specific host. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 518 Cisco IDS Sensor Signatures • Appendix A 519 ■ 3010-TCP High Port Sweep:This signature fires when a series of TCP con- nections to a number of different high-numbered ports (having port number greater than 1023) on a specific host have been initiated. ■ 3011-TCP FIN High Port Sweep:This signature fires when a series of TCP FIN packets have been sent to a number of different destination high-num- bered ports (having port number greater than 1023) on a specific host. ■ 3012-TCP Frag FIN High Port Sweep:This signature fires when a series of fragmented TCP FIN packets have been sent to a number of different desti- nation high-numbered ports (having port number greater than 1023) on a specific host. ■ 3015-TCP Null Port Sweep:This signature fires when a series of TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to a number of different destination ports on a specific host. ■ 3016-TCP Frag Null Port Sweep:This signature fires when a series of frag- mented TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to a number of different destination ports on a specific host. ■ 3020-TCP SYN FIN Port Sweep:This signature fires when a series of TCP packets with both the SYN and FIN flags set have been sent to a number of different destination ports on a specific host. ■ 3021-TCP Frag SYN FIN Port Sweep:This signature fires when a series of fragmented TCP packets with both the SYN and FIN flags set have been sent to a number of different destination ports on a specific host. ■ 3030-TCP SYN Host Sweep:This signature fires when a series of TCP SYN packets have been sent to the same destination port on a number of different hosts. ■ 3031-TCP Frag SYN Host Sweep:This signature fires when a series of frag- mented TCP SYN packets have been sent to the same destination port on a number of different hosts. ■ 3032-TCP FIN Host Sweep:This signature fires when a series of TCP FIN packets have been sent to the same destination port on a number of dif- ferent hosts. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 519 520 Appendix A • Cisco IDS Sensor Signatures ■ 3033-TCP Frag FIN Host Sweep:This signature fires when a series of TCP FIN packets have been sent to the same destination port on a number of different hosts. ■ 3034-TCP NULL Host Sweep:This signature fires when a series of TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to the same destination port on a number of different hosts. ■ 3035-TCP Frag NULL Host Sweep:This signature fires when a series of fragmented TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to the same destination port on a number of different hosts. ■ 3036-TCP SYN FIN Host Sweep:This signature fires when a series of TCP packets with both the SYN and FIN flags set have been sent to the same destination port on a number of different hosts. ■ 3037-TCP Frag SYN FIN Host Sweep:This signature fires when a series of TCP packets with both the SYN and FIN flags set have been sent to the same destination port on a number of different hosts. ■ 3038-Fragmented NULL TCP Packet:This signature fires when a single fragmented TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. ■ 3039-Fragmented Orphaned FIN Packet:This signature fires when a single fragmented orphaned TCP FIN packet is sent to a privileged port (having port number less than 1024) on a specific host. ■ 3040-NULL TCP Packet:This signature fires when a single TCP packet with none of the SYN, FIN,ACK, or RST flags set has been sent to a spe- cific host. ■ 3041-SYN/FIN Packet:This signature fires when a single TCP packet with the SYN and FIN flags are set and is sent to a specific host. ■ 3042-Orphaned FIN Packet:This signature fires when a single orphaned TCP FIN packet is sent to a privileged port (having port number less than 1024) on a specific host. ■ 3043-Fragmented SYN/FIN Packet:This signature fires when a single frag- mented TCP packet with the SYN and FIN flags are set and is sent to a specific host. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 520 Cisco IDS Sensor Signatures • Appendix A 521 ■ 3045-Queso Sweep: This signature fires after having detected a FIN, SYN- FIN, and a PUSH sent from a specific host bound for a specific host. ■ 3046-NMAP OS Fingerprint:This signature looks for a unique combina- tion of TCP packets that the NMAP tool uses to fingerprint a remote oper- ating system. ■ 3050-Half-open SYN Attack:This signature fires when multiple TCP ses- sions have been improperly initiated on any of several well-known service ports. ■ 3100-Smail Attack: This signature fires on the very common smail attack against e-mail servers. ■ 3101-Sendmail Invalid Recipient: This signature fires on any mail message with a pipe (|) symbol in the recipient field. ■ 3102-Sendmail Invalid Sender: This signature fires on any mail message with a pipe (|) symbol in the From: field. ■ 3103-Sendmail Reconnaissance:This signature fires when expn or vrfy commands are issued to the SMTP port. ■ 3104-Archaic Sendmail Attacks:This signature fires when wiz or debug commands are sent to the SMTP port. ■ 3105-Sendmail Decode Alias: This signature fires on any mail message with decode@ in the header. ■ 3106-Mail Spam: Counts number of Rcpt to: lines in a single mail message and alarms after a user-definable maximum has been exceeded. The user default is 250 recipients. ■ 3107-Majordomo Execute Attack: A bug in the Majordomo program will allow remote users to execute arbitrary commands at the privilege level of the server. ■ 3108-MIME Overflow Bug:This signature fires when an SMTP mail mes- sage has a MIME “Content-” field that is excessively long. ■ 3109-Long SMTP Command:This signature fires when an attempt is made to pass an overly long command string to a mail server ■ 3110-Suspicious Mail Attachment: A suspicious mail attachment was found in a mail message. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 521 522 Appendix A • Cisco IDS Sensor Signatures ■ 3111-W32 Sircam Malicious Code:Alarms when SirCam virus e-mail attachment is sent. ■ 3111:1-W32 Sircam Malicious Code:Alarms when SirCam virus e-mail attachment is received. ■ 3112-Lotus Domino Mail Loop DoS: Alarms when a To: field in the mail is detected greather than 100 characters ■ 3114-FetchMail Arbitrary Code Execution: Alarms when an e-mail com- mand containing a list of large integers is encountered. ■ 3115-Sendmail Data Header Overflow: Alarms when an e-mail command containing a list of large integers is encountered. ■ 3116-Netbus:Alarm fires upon detecting a Netbus communications channel setup. ■ 3117-KLEZ Worm:The alarm fires when a filename gn.exe is found as a audio/x-wav attachment to an e-mail. ■ 3118-rwhoisd Format String:This sig fires upon detecting a ‘soa’ command sent to a rwhois server with a large argument. ■ 3119-WS_FTP STAT Overflow: This signature fires when a stat command with an argument that is greater than 450 characters. ■ 3120-ANTS virus:The alarm fires when a e-mail is found with the attach- ment ants3set.exe ■ 3121-Vintra MailServer EXPN DoS:This signature fires when ‘*@’ is detected as the argument to the SMTP command expn. ■ 3122-SMTP EXPN Root Recon:This signature fires when an attempt to expand the e-mail alias of the ‘root’ user with SMTP command expn is detected. ■ 3123-NetBus Pro Traffic:Alarm fires upon detecting a Netbus Pro commu- nications channel setup. ■ 3124-Sendmail Prescan Memory Corruption:This signature looks for an abnormally long (1000+ characters). The subsignatures are: ■ SubSig 0: MAIL FROM ■ SubSig 1: RCPT TO www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 522 Cisco IDS Sensor Signatures • Appendix A 523 ■ 3150-FTP Remote Command Execution:This signature fires when someone tries to execute the Ftp site command. ■ 3151-FTP SYST Command Attempt:This signature fires when someone tries to execute the FTP SYST command. ■ 3152-FTP CWD ~root:This signature fires when someone tries to execute the CWD ~root command. ■ 3153-FTP Improper Address Specified: This signature fires if a port com- mand is issued with an address that is not the same as the requesting host. ■ 3154-FTP Improper Port Specified: This signature fires if a port command is issued with a data port specified that is less than 1024 or greater than 65535. ■ 3155-FTP RETR Pipe Filename Command Execution:The ftp client can be tricked into running arbitrary commands supplied by the remote server. ■ 3156-FTP STOR Pipe Filename Command Execution:The ftp client can be tricked into running arbitrary commands supplied by the remote server. ■ 3157-FTP PASV Port Spoof: Possible attempt has been made to open con- nections through a firewall to a protected FTP server to a non-FTP port. ■ 3158-FTP SITE EXEC Format String: Affected versions of Wu-ftpd are missing some character-formatting arguments in several function calls that implement the site exec command functionality. ■ 3159-FTP PASS Suspicious Length: In order to exploit some Wu-ftpd vul- nerabilities (sig3158), a malicious user must supply shell code in the pass- word field of the ftp login. ■ 3160-Cesar FTP Buffer Overflow: Alarms when a HELP command is fol- lowed by 200 or more characters ■ 3161-FTP realpath Buffer Overflow:This signature fires when an attempt is detected to create or delete a directory during a FTP session using a path argument containing executable machine code, also know as shellcode. ■ 3162-glFtpD LIST DoS:This signature fires when an abnormally long FTP list command is detected with and argument that is composed only of the character ‘*’. ■ 3163-wu-ftpd Heap Corruption Vulnerability:This signature fires when an unbalanced ‘{‘ is detected in FTP traffic. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 523 524 Appendix A • Cisco IDS Sensor Signatures ■ 3164- Instant Server Mini Portal Directory Traversal:This signature fires when / is detected in a FTP connection. ■ 3165-FTP SITE EXEC:This alarms when a SITE EXEC command is attempted within FTP traffic. There is a potential danger if the SITE EXEC command is allowed when FTP servers are incorrectly configured. ■ 3166-FTP USER Suspicious Length:The signature fires when a longer than normal username is detected during an FTP session.This could cause a buffer overflow. ■ 3167-Format String in FTP Username:This signature fires when a percent sign (%) is detected as a username argument of an ftp login. A percent signs indicate a format string attack when part of the username. ■ 3168-FTP SITE EXEC Directory Traversal:This signature fires when a SITE EXEC command is attempted with arguments of a directory traversal ( /) within the FTP traffic. There is a potential danger if the SITE EXEC command is allowed when ftp servers are incorrectly configured. Directory traversal attempts are indicators of command execution attacks. ■ 3169-FTP SITE EXEC tar:This signature fires when a SITE EXEC com- mand is attempted with arguments of an piped tar command in the FTP traffic.There is a potential danger if the SITE EXEC command is allowed when FTP servers are incorrectly configured. Piped tar command attempts are indicators of malicious traffic. ■ 3170-WS_FTP SITE CPWD Buffer Overflow:This signature fires when it detects a SITE CPWD command with an argument greater than 100 char- acters in length. ■ 3171-FTP Privileged Login:The signature fires when it detects an FTP login for a privileged user (root or administrator). Ftp activity with privi- leged users is dangerous because passwords are sent in the clear (plaintext) across the network. ■ 3172-FTP CWD Overflow:This signature fires when it detects the FTP command CWD with abnormally long argument.This is a good sign of a buffer overflow attack. ■ 3173-Long FTP Command: Normal FTP commands may cause false posi- tives. If you receive false positives, you can tune the signature by increasing www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 524 Cisco IDS Sensor Signatures • Appendix A 525 the default value of the MinMatchLength parameter until false positives are eliminated. ■ 3174-SuperStack 3 NBX FTP Dos:This signature fires when the FTP com- mand cel is received with more than 2048 bytes of arguments. ■ 3175-ProFTPD STAT DoS:This signature fires when a FTP STAT com- mand has several ‘/*’ contiguous character combinations.This is a sign of a denial of service attack. ■ 3176-Cisco ONS FTP DoS:This signature fires when a long “CEL” FTP command is detected. ■ 3200-WWW phf Attack:This signature fires when the phf attack is detected.This is an indicator that an attempt has been made to illegally access system resources. ■ 3201-Unix Password File Access Attempt:These alarms fire when any cgi- bin script attempts to retrieve password files on various operating systems. Examples of such password files are: ■ /etc/passwd (Sub ID 1) ■ /etc/shadow (Sub ID 2) ■ /etc/master.passwd (Sub ID 3) ■ /etc/master.shadow (Sub ID 4) ■ /etc/security/passwd (Sub ID 5) ■ /etc/security/opasswd (Sub ID 6) Signature 3201 is a good indicator that illegal attempts are being made to access system resources. ■ 3202-WWW .URL File Requested:This signature fires when a user attempts to get any .URL file. There is a flaw in Microsoft Internet Explorer that could allow illegal access to system resources when .URL files are accessed using the HTTP GET command. ■ 3203-WWW .LNK File Requested:This signature fires when a user attempts to get any .LNK file.There is a fllaw in Microsoft Internet Explorer that could allow illegal access to system resources when .LNK files are accessed using the HTTP GET command. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 525 526 Appendix A • Cisco IDS Sensor Signatures ■ 3204-WWW .BAT File Requested:This signature fires when a user attempts to get any .BAT file.There is a flaw in Microsoft Internet Explorer that could allow illegal access to system resources when .BAT files are accessed using the HTTP GET command. ■ 3205-HTML File Has .URL Link:This signature fires when a file has a .URL link.This signature sends a warning to the user before he/she can click on the damaging link. Signature 3202 will fire on any attempts to click on the link, but it can cause damage before defensive measures are taken. There is a flaw in Microsoft Internet Explorer that could allow illegal access to system resources when .URL files are accessed using the HTTP GET command. ■ 3206-HTML File Has .LNK Link:This signature fires when a file has a .LNK link.This signature sends a warning to the user before he/she can click on the damaging link. Signature 3203 will fire on any attempts to click on the link, but it can cause damage before defensive measures are taken. There is a flaw in Microsoft Internet Explorer that could allow illegal access to system resources when .LNK files are accessed using the HTTP GET command. ■ 3207-HTML File Has .BAT Link:This signature fires when a file has a .BAT link.This signature sends a warning to the user before they can click on the damaging link. Signature 3204 will fire on any attempts to click on the link, but it can cause damage before defensive measures are taken. There is a flaw in Microsoft Internet Explorer that could allow illegal access to system resources when .BAT files are accessed using the HTTP GET command. ■ 3208-WWW Campas Attack:This signature fires when attempts are made to pass commands to the CGI program campas. A problem in the CGI pro- gram campas, included in the NCSA Web Server distribution, allows attackers to execute commands on the host machine. These commands will execute at the privilege level of the HTTP server. ■ 3209-WWW Glimpse Server Attack:This signature fires when attempts are made to pass commands to the perl script GlimpseHTTP. These could allow attackers to execute commands on the host machine. The GlimpseHTTP is an interface to the Glimpse search tool. ■ 3210-WWW IIS View Source Attack: If a request to a Microsoft IIS server is formatted in a certain way, executable files are read instead of being exe- cuted. Passwords, scripts, and database information can be revealed. Analysis www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 526 Cisco IDS Sensor Signatures • Appendix A 527 of the scripts could turn up vulnerabilities. This signature fires when a request is made to an HTTP server attempting to view the source. ■ 3211-WWW IIS Hex View Source Attack: If a request to a Microsoft IIS server is formatted in a certain way, executable files are read instead of being executed. Passwords, scripts, and database information can be revealed. Analysis of the scripts could turn up vulnerabilities. This signature fires when a request is made to an HTTP server with an embedded escape code, %2E, in place of a “.”. This is a sign someone is trying to view the source of a protected web page script. ■ 3212-WWW NPH-TEST-CGI Attack:This signature fires when attempts are made to view directory listings with the script nph-test-cgi. Some but not all HTTP servers include this script. The script can be used to list directories on a server. This script is for testing purposes and should be removed on production servers. ■ 3213-WWW TEST-CGI Attack:This signature fires when attempts are made to view directory listings with the script test-cgi. Some but not all HTTP servers include this script. The script can be used to list directories on a server. This script is for testing purposes and should be removed on production servers. ■ 3214-IIS DOT DOT VIEW Attack: This signature fires on attempts to view files above the chrooted directory using Microsoft IIS. The result of this attack is the viewing of files not intended for public access. The chroot directory is supposed to be the topmost directory to which HTTP clients have access. ■ 3215-IIS DOT DOT EXECUTE Attack: Fires on attempts to cause Microsoft IIS to execute commands.Valid URL requests can cause false pos- itives. Verify the target system from where the signature is firing to see if it is vulnerable. ■ 3216-WWW Directory Traversal / :This signature fires when attempts to traverse directories on the web server using “ / ” are detected. This is a sign attempts are being made to gain access to files and directories outside the root directory of the Web server. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 527 [...]... History Exploit:This signature fires on an attempt to force a Cisco router to reveal prior users command history I 3602 -Cisco IOS Identity:This signature fires if someone attempts to connect to port 199 9 on a Cisco router.This port is not enabled for access I 3603-IOS Enable Bypass:This signature fires when a successful attempt to gain privileged access to a Cisco Catalyst switch has been detected Verify... an attempt to overflow a buffer in the IMAP daemon.This is an indicator of an attempt to gain unauthorized access to system resources I 3526-Imap Login Buffer Overflow:This signature fires on receipt of packets bound for port 143 that are indicative of an attempt to overflow the imapd login buffer.This is an indicator of an attempt to gain unauthorized access to system resources I 3530 -Cisco Secure ACS... get request is made to port 8383 with a URI longer than 96 bytes I 3732-MSSQL xp_cmdshell Usage:This signature fires when an attempt to use the MSSQL ‘xp_cmdshell’ stored procedure is detected This is an indicator that an attempt has been made to execute unauthorized commands on a MSSQL server Administrators using the ‘xp_cmdshell’ stored procedure can cause false positives I 399 0-BackOrifice BO2K TCP... sent to certain Cisco Secure ACS for NT versions and causes the server to crash False positives can occur when hosts using the pluggable authentication module (PAM) pam_tacacs for authentication is used www.syngress.com 267_cssp_ids_appx.qxd 9/ 30/03 5:35 PM Page 537 Cisco IDS Sensor Signatures • Appendix A I 3540 -Cisco Secure ACS CSAdmin Attack:This signature fires when a large request is made to the... 9/ 30/03 5:35 PM Page 542 Appendix A • Cisco IDS Sensor Signatures source.This results in the contents of the packet being “echoed” back to the source IP address, which may be spoofed I 4100-Tftp Passwd File: Fires on an attempt to access the passwd file using TFTP This signature is a good indicator that an attempt to gain unauthorized access to system resources is occurring I 4101 -Cisco TFTPD Directory... successfully launched it could lead to serious consequences, including system compromise.The source of these alarms should be investigated thoroughly before any actions are taken Recommend security professional consultation to assist in the investigation I 5 29 3300-NetBIOS OOB Data:This signature fires when an attempt to send data Out Of Band to port 1 39 is detected This can be used to crash Windows machines... attempt to access the registry will cause an alarm to fire I 3307-Windows RedButton Attack:This signature fires when the RedButton tool is run against a server The tool is use to show the security flaw in Windows NT 4.0 that allows remote registry access without a valid user account I 3308-Windows LSARPC Access:This signature fires when an attempt has been made to access the LSARPC service on a Windows system... detecting a SOCKS4 proxy request with an overflow in the DNS field I 37 09- AnalogX Proxy Web Proxy Overflow:This signature fires upon detecting a web proxy request with an overflow in the URI field sent to port 6588 I 3710 -Cisco Secure ACS Directory Traversal:This signature fire upon detecting two or more slashes (//) in an HTTP request sent to port 90 90 I 3711-Informer FW1 auth replay DoS:This signature fires on 32... when attempts are made to connect to the hidden windows administration share ADMIN$ This share point does not appear in normal browsing and may access attempts are indicators that an attempt to break into the system is occurring www.syngress.com 267_cssp_ids_appx.qxd 532 9/ 30/03 5:35 PM Page 532 Appendix A • Cisco IDS Sensor Signatures NOTE Signature 3320 is only available in Cisco IDS versions 4.0... 32 19- WWW PHP Buffer Overflow:This signature fires when an oversized query is sent to the PHP cgi-bin program This is an indicator of a buffer overflow attack to gain system access I 3220-IIS Long URL Crash Bug:This fires when a large URL is sent to a Web server in attempts to crash the system I 3221-WWW cgi-viewsource Attack:This signature fires when someone attempts to use the cgi-viewsource script to . fires on an attempt to force a Cisco router to reveal prior users command history. ■ 3602 -Cisco IOS Identity:This signature fires if someone attempts to con- nect to port 199 9 on a Cisco router.This. that are indicative of an attempt to overflow the imapd login buffer.This is an indicator of an attempt to gain unauthorized access to system resources. ■ 3530 -Cisco Secure ACS Oversized TACACS+ Attack:This. are being made to gain access to files and directories outside the root directory of the Web server. www.syngress.com 267_cssp_ids_appx.qxd 9/ 30/03 5:35 PM Page 527 528 Appendix A • Cisco IDS Sensor