cc/td/doc/product/iaabu/csids/csids1
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

The NSDB and Signatures

The NSDB and Signatures

This chapter contains the following sections:

The Network Security Database (NSDB)

This section introduces the Network Security Database (NSDB)---Cisco's HTML-based encyclopedia of network vulnerability information---and describes the following topics:

Accessing the NSDB from the Director Interface

To access the NSDB from the Director interface, click an Alarm icon and then click Show>NSDB on the Security menu. It is not necessary to click an Alarm icon to view the NSDB; not clicking an Alarm icon before accessing the NSDB opens the main index page, which is pictured in Figure 8-1.

Note You must set a browser preference before you can access the NSDB from the Director interface. To set a browser preference, open nrConfigure by clicking Configure on the Security menu. On nrConfigure, click Preferences on the File menu.Type the path to your HTML browser in the Browser Location field, then click OK.

Figure 8-1: The Network Security Database

Accessing the NSDB from an HTML Browser

To access the NSDB directly from an HTML browser, type the following URL into the browser's location field:

/usr/ciscosec/nsdb/html/all_sigs_index.html

Anatomy of an NSDB Entry

A typical NetRanger NSDB entry contains the following critical security information:

Figure 8-2 illustrates how these sections are presented in HTML.


Figure 8-2: Signature Name, Signature ID, SubSig ID, and Description

NetRanger Signatures

This section provides information on NetRanger Signatures, and includes the following topics:

Overview

NetRanger's signatures distill network information and compare it against a rule set indicating typical intrusion activity. If a signature detects misuse or unauthorized activity, it generates an event, which, if it indicates a severe violation, causes an alarm to appear on the Director's user interface.

There are two types of signatures: embedded and string-matching.

Embedded Signatures

Embedded signatures have the following characteristics:

String Matching Signatures

String matching signatures have the following characteristics:

A string-matching signature looks like the following example:

RecordOfStringName     2101     21     1     1     "[Rr][Ee][Tt][Rr][]+passwd"

where RecordOfStringName is the generic title, 2101 is the SubSignature ID, 21 is the port number to detect on (FTP), 1 is the direction (1= to port, 2=from port, 3=both), 1 is the number of string match occurrences to allow before generating an alarm, and "[Rr][Ee][Tt][Rr][]+passwd" is the regular expression to match on.

Detecting a string match is only the first step in identifying misuse; once misuse is identified, NetRanger requires further instructions to send an alarm. When the number of occurrences for a particular RecordOfStringName's regular expression match the Occurrences limit, an action is triggered by a corresponding SigOfStringMatch token.

This section provides a procedure for setting up corresponding RecordOfStringName and SigOfStringMatch tokens to detect and alarm on the string "secret" used during a Telnet session.

Step 1 On the Director interface, click a Sensor icon and click Configure on the Security menu.

Step 2 On nrConfigure, double-click Intrusion Detection.

Step 3 Click the Profile tab.

Step 4 Click Manual Configuration, and then click Modify Sensor.

Step 5 Scroll down to the "Matched Strings" signature and click it.

Step 6 Click Expand to open the String Signatures dialog box.

The String Signatures dialog box (see Figure 8-3) consists of a grid containing the following columns: string to search on, SubSignature ID, port to scan, direction of traffic to scan, the number of string matches to allow before triggering an action, the action to trigger, and destinations for the data captured by the signature.


Figure 8-3: The String Signatures Dialog Box

Step 7 Click Add.

Step 8 Type [Ss]ecret in the String column.

This regular expression detects instances of the strings "Secret" and "secret".

Step 9 Type a unique number in the ID column.

Step 10 Type 23 in the Port column.

TCP Port 23 is the well-known port for Telnet traffic.

Step 11 Select To & From from the Direction list.

Step 12 Type 1 under Occurrences.

Step 13 Select Reset under Action.

Step 14 Type a 5 in each destination column.

Step 15 Click OK to save the new signature.

Step 16 Click OK to close the Intrusion Detection dialog box.

Step 17 Click Apply to apply the new signature.

Each time the Sensor detects the string "secret" or "Secret" during a Telnet session, it now resets the user's TCP connection, and sends level 5 alarms to all destinations.

List of Signatures

The following is a list of signatures in NetRanger version 2.2.1. Each signature listing is headed by the Signature ID and Signature Name, followed by the Signature Description.


1000 IP options-Bad Option List

Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is incomplete or malformed. The IP options list contains one or more options that perform various network management or debugging tasks. The first field of each option in the list consists of an eight bit code field that is broken into three subfields:

1001 IP options-Record Packet Route

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 7 (Record Packet Route). The IP options list contains one or more options that perform various network management or debugging tasks. The first field of each option in the list consists of an eight bit code field that is broken into three subfields:

1002 IP options-Timestamp

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 4 (Timestamp). The IP options list contains one or more options that perform various network management or debugging tasks. The first field of each option in the list consists of an eight bit code field that is broken into three subfields:

1003 IP options-Provide s,c,h,tcc

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 2 (Security options). The IP options list contains one or more options that perform various network management or debugging tasks. The first field of each option in the list consists of an eight bit code field that is broken into three subfields:

1004 IP options-Loose Source Route

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 3 (Loose Source Route). The IP options list contains one or more options that perform various network management or debugging tasks. The first field of each option in the list consists of an eight bit code field that is broken into three subfields:

1005 IP options-SATNET ID

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 8 (SATNET stream identifier). The IP options list contains one or more options that perform various network management or debugging tasks. The first field of each option in the list consists of an eight bit code field that is broken into three subfields:

1006 IP options-Strict Source Route

Triggers on receipt of an IP datagram in which the IP option list for the datagram includes option 2 (Strict Source Routing). The IP options list contains one or more options that perform various network management or debugging tasks. The first field of each option in the list consists of an eight bit code field that is broken into three subfields:

1100 IP Fragment Attack

Triggers when any IP datagram is received with a small offset indicated in the offset field. This indicates that the first fragment was unusually small, and is most likely an attempt to defeat packet filter security policies.

1101 Unknown IP Protocol

Triggers when an IP datagram is received with the protocol field set to 101 or greater. These protocol types are undefined or reserved and should not be used. Use of undefined or reserved protocol types may be indicative of establishment of a proprietary communication channel. No known exploits implement this concept. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

1102 Impossible IP Packet

This triggers when an IP packet arrives with source equal to destination address. This signature will catch the so-called Land Attack.

1103 IP Fragments Overlap

Some implementations of the TCP/IP IP fragmentation re-assembly code do not properly handle overlapping IP fragments. Teardrop is a widely available attack tool that exploits this vulnerability.

2000 ICMP Echo Reply

Triggers when a IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 0 (Echo Reply). ICMP Echo Replies have been used to bypass packet filter security policies as they are rarely filtered in either incoming or outgoing traffic. May be used to establish a communication channel or to perform denial of service attacks.

2001 ICMP Host Unreachable

Triggers when an IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 3 (Host Unreachable). ICMP Host Unreachable datagrams may be used to bypass packet filter security policies as they are rarely filtered in either incoming or outgoing traffic. May be used to perform denial of service attacks.

2002 ICMP Source Quench

Triggers when an IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 4 (Source Quench). ICMP Source Quench datagrams may be used to bypass packet filter security policies as they are rarely filtered in either incoming or outgoing traffic. May be used to perform denial of service attacks. No known exploits incorporate this option. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

2003 ICMP Redirect

Triggers when a IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 5 (Redirect). ICMP Redirects may be used to facilitate system access attempts. No known exploits incorporate this option. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

2004 ICMP Echo Request

Triggers when a IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 8 (Echo Request). ICMP Echo Requests are commonly used to perform reconnaissance sweeps of networks. These sweeps often are a prelude to attack. Additionally they may be used to perform denial of service attacks.

2005 ICMP Time Exceeded for a Datagram

Triggers when a IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 11(Time Exceeded for a Datagram). ICMP Time Exceeded datagrams may be used to bypass packet filter security policies as they are rarely filtered in either incoming or outgoing traffic. May be used to perform denial of service attacks. No known exploits incorporate this option. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

2006 ICMP Parameter Problem on Datagram

Triggers when a IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 12 (Parameter Problem on Datagram). ICMP Parameter Problem datagrams may be used to bypass packet filter security policies as they are rarely filtered in either incoming or outgoing traffic. May be used to perform denial of service attacks. No known exploits incorporate this option. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

2007 ICMP Timestamp Request

Triggers when a IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 13 (Timestamp Request). ICMP Timestamp Requests could be used to perform reconnaissance sweeps of networks. These sweeps often are a prelude to attack. Additionally they may be used to perform denial of service attacks. No known exploits incorporate this option. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

2008 ICMP Timestamp Reply

Triggers when a IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 14 (Timestamp Reply). ICMP Timestamp Replies could be used to perform denial of service attacks. No known exploits incorporate this option. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

2009 ICMP Information Request

Triggers when a IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 15 (Information Request). This signature is included for completeness. No known exploit exists. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

2010 ICMP Information Reply

Triggers when a IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 16 (ICMP Information Reply). This signature is included for completeness. No known exploit exists. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

2011 ICMP Address Mask Request

Triggers when a IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 17 (Address Mask Request). ICMP Address Mask Requests could be used to perform reconnaissance sweeps of networks. These sweeps often are a prelude to attack. Additionally they may be used to perform denial of service attacks. No known exploits incorporate this option. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

2012 ICMP Address Mask Reply

Triggers when a IP datagram is received with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 18 (Address Mask Reply). ICMP Timestamp Replies could be used to perform denial of service attacks. No known exploits incorporate this option. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

2100 ICMP Network Sweep w/Echo

Triggers when IP datagrams are received directed at multiple hosts on the network with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 8 (Echo Request). This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack.

2101 ICMP Network Sweep w/Timestamp

Triggers when IP datagrams are received directed at multiple hosts on the network with the `protocol' field of the IP header set to 1 (ICMP) and the `type' field in the ICMP header set to 13 (Timestamp Request). This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack.

2102 ICMP Network Sweep w/Address Mask

Triggers when IP datagrams are received directed at multiple hosts on the network with the `protocol' field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 17 (Address Mask Request). This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack.

2150 Fragmented ICMP Traffic

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset field. The Boolean equation that describes this is: ICMP AND (MFFLAG OR OFFSET). Fragmented ICMP traffic may be indicative of a denial of service attempt.

2151 Large ICMP Traffic

Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP) and the IP length is greater than 1024. Large ICMP traffic may be indicative of a denial of service attack.

2152 ICMP Flood

Triggers when multiple IP datagrams are received directed at a single host on the network with the `protocol' field of the IP header set to 1 (ICMP). This is indicative that a denial of service attack may be in progress against your network.

2153 Smurf

This triggers when a large number of ICMP Echo Replies are targeted at a machine. They can be from one or many sources. This will catch the attack known as Smurf, described in the related vulnerability page. Since this attack can come from many sources, automatic shunning of individual hosts is not very effective. If only one network is being used to broadcast the replies, the network can be shunned.

2154 Ping of Death Attack

Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP), the Last Fragment bit is set, and ( IP offset * 8 )+ (IP data length) 65535 that is to say, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8 byte units) plus the rest of the packet is greater than the maximum size for an IP packet. This indicates a denial of service attack.

3000 TCP Ports

This set of signatures can be configured to trigger if certain TCP services are accessed. The services of interest can be specified in the sensord.conf or packetd.conf file.

3001 TCP Port Sweep

Triggers when a series of TCP connections to a number of different privileged ports (1023) on a specific host. This is indicative that a reconnaissance sweep of your network may be in progress. The use of fragmentation and of FIN packets indicates an attempt to conceal the sweep. This may be the prelude to a more serious attack.

3015 TCP Null Port Sweep

Triggers when a series of TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to a number of different destination ports on a specific host. This is indicative that a reconnaissance sweep of your network may be in progress. The use of this type of packet indicates an attempt to conceal the sweep. This may be the prelude to a more serious attack.

3016 TCP Frag Null Port Sweep

Triggers when a series of fragmented TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to a number of different destination ports on a specific host. This is indicative that a reconnaissance sweep of your network may be in progress. The use of this type of packet and of fragmentation indicates an attempt to conceal the sweep. This may be the prelude to a more serious attack.

3020 TCP SYN FIN Port Sweep

Triggers when a series of TCP packets with both the SYN and FIN flags set have been sent to a number of different destination ports on a specific host. This is indicative that a reconnaissance sweep of your network may be in progress. The use of both the SYN and FIN flag is abnormal, and could indicate an attempt to conceal the sweep. This may be the prelude to a more serious attack.

3021 TCP Frag SYN FIN Port Sweep

Triggers when a series of fragmented TCP packets with both the SYN and FIN flags set have been sent to a number of different destination ports on a specific host. This is indicative that a reconnaissance sweep of your network may be in progress. The use of both the SYN and FIN flag is abnormal, as is the use of fragmentation, and could indicate an attempt to conceal the sweep. This may be the prelude to a more serious attack.

3030 TCP SYN Host Sweep

Triggers when a series of TCP SYN packets have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or Telnet sessions. This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack.

3031 TCP FRAG SYN Host Sweep

Triggers when a series of fragmented TCP SYN packets have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or Telnet sessions. This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack. The use of fragmentation is abnormal and could indicate an attempt to conceal the sweep.

3032 TCP FIN Host Sweep

Triggers when a series of TCP FIN packets have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or Telnet sessions. This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack.

3033 TCP FRAG FIN Host Sweep

Triggers when a series of TCP FIN packets have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or Telnet sessions. This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack. The use of fragmentation is abnormal and could indicate an attempt to conceal the sweep.

3034 TCP NULL Host Sweep

Triggers when a series of TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or Telnet sessions. This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack. The use of this packet is abnormal, and could indicate an attempt to conceal the sweep.

3035 TCP FRAG NULL Host Sweep

Triggers when a series of fragmented TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or Telnet sessions. This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack. The use of this packet is abnormal, as is the use of fragmentation, and could indicate an attempt to conceal the sweep.

3036 TCP SYN FIN Host Sweep

Triggers when a series of TCP packets with both the SYN and FIN flags set have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or Telnet sessions. This is indicative that a reconnaissance sweep of your network may be in progress. The use of both the SYN and FIN flag is abnormal, and could indicate an attempt to conceal the sweep.

3037 TCP FRAG SYN FIN Host Sweep

Triggers when a series of TCP packets with both the SYN and FIN flags set have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or Telnet sessions. This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack. The use of both the SYN and FIN flag is abnormal, as is the use of fragmentation, and could indicate an attempt to conceal the sweep.

3045 Queso Sweep

This signature triggers after having detected a FIN, SYN-FIN, and a PUSH sent from a specific host bound for a specific host.

3050 Half-open SYN Attack

Triggers when multiple TCP sessions have been improperly initiated on any of several well known service ports. Detection of this signature is currently limited to FTP, Telnet, WWW, and SMTP servers (TCP ports 21, 23, 80, and 25 respectively). This is indicative that a denial of service attack against your network may be in progress.

3100 Smail Attack

Triggers on the very common `smail' attack against e-mail servers. This attack attempts to cause e-mail servers to execute programs on the attacker's behalf. May result in system compromise.

3101 Sendmail Invalid Recipient

Triggers on any mail message with a `pipe' (|) symbol in the recipient field. This attack attempts to cause e-mail servers to execute programs on the attacker's behalf. May result in system compromise.

3102 Sendmail Invalid Sender

Triggers on any mail message with a `pipe' (|) symbol in the `From:' field. This attack attempts to cause e-mail servers to execute programs on the attacker's behalf. May result in system compromise.

3103 Sendmail Reconnaissance

Triggers when `expn' or `vrfy' commands are issued to the SMTP port. This is indicative that your network may be under reconnaissance.

3104 Archaic Sendmail Attacks

Triggers when `wiz' or `debug' commands are sent to the SMTP port. This is indicative that a student of computer security history has decided to make a feeble attempt at compromising your system.

3105 Sendmail Decode Alias

Triggers on any mail message with `: decode@' in the header. This may indicate an attempt to illegally access system resources. System compromise is possible.

3106 Mail Spam

Counts number of Rcpt to: lines in a single mail message and alarms after a user-definable maximum has been exceeded (default is 250).

3107 Majordomo Execute Attack

A bug in the Majordomo program will allow remote users to execute arbitrary commands at the privilege level of the server.

3108 MIME Overflow Bug

Fires when an SMTP mail message has a MIME "Content-" field that is excessively long. The token "MimeContentMaxLen" defines the longest valid header length for MIME Content-... Header tokens. It defaults to 200 and is settable to any value greater or equal to 76.

3109 Q-Mail Length Crash

This signature triggers when an attempt is made to pass an overly long command string to a mail server.

3150 FTP Remote Command Execution

Triggers when someone tries to execute the FTP SITE command. This may indicate an attempt to illegally access system resources.

3151 FTP SYST Command Attempt

Triggers when someone tries to execute the FTP SYST command. This is indicative that your network may be under reconnaissance.

3152 FTP CWD ~root

Triggers when someone tries to execute the CWD ~root command. This may indicate an attempt to illegally access system resources.

3153 FTP Improper Address Specified

Triggers if a port command is issued with an address that is not the same as the requesting host.

3154 FTP Improper Port Specified

Triggers if a port command is issued with a data port specified that is 65535.

3200 WWW Phf Attack

Triggers when the phf attack is detected. This may indicate an attempt to illegally access system resources.

3201 WWW General cgi-bin Attack

Triggers when any cgi-bin script attempts to retrieve the file /etc/passwd. This may indicate an attempt to illegally access system resources, in particular the /etc/passwd file. This may be the prelude to a more serious attack.

3202 WWW .url File Requested

Triggers when a user attempts to get any .url file. A flaw in Microsoft Internet Explorer may allow illegal access to system resources when files of type .url are accessed via the HTTP GET command.

3203 WWW .lnk File Requested

Triggers when a user attempts to get any .lnk file. A flaw in Microsoft Internet Explorer may allow illegal access to system resources when files of type .lnk are accessed via the HTTP GET command.

3204 WWW .bat File Requested

Triggers when a user attempts to get any .bat file. A flaw in Microsoft Internet Explorer may allow illegal access to system resources when files of type .bat are accessed via the HTTP GET command.

3205 HTML File Has .url Link

Triggers when a file has a .url link. This signature will warn before a user has a chance to click the potentially damaging link. NetRanger signature 3202 will alarm on any attempt to click the link, but it may do its damage before any defensive action can be taken. A flaw in Microsoft Internet Explorer may allow illegal access to system resources when files of type .url are accessed via the HTTP GET command.

3206 HTML File Has .lnk Link

Triggers when a file has a .lnk link. This signature will warn before a user has a chance to click the potentially damaging link. NetRanger signature 3203 will alarm on any attempt to click the link, but it may do its damage before any defensive action can be taken. A flaw in Microsoft Internet Explorer may allow illegal access to system resources when files of type .lnk are accessed via the HTTP GET command.

3207 HTML File Has .bat Link

Triggers when a file has a .bat link. This signature will warn before a user has a chance to click the potentially damaging link. NetRanger signature 3204 will alarm on any attempt to click the link, but it may do its damage before any defensive action can be taken. A flaw in Microsoft Internet Explorer may allow illegal access to system resources when files of type .bat are accessed via the HTTP GET command.

3208 WWW campas Attack

Triggers when an attempt is made to pass commands to the CGI program campas. A problem in the CGI program campas, that is included in the NCSA Web Server distribution, allows an attacker to execute commands on the host machine. These commands will execute at the privilege level of the HTTP server.

3209 WWW Glimpse Server Attack

This alarm triggers when an attempt is made to pass commands to the perl script GlimpseHTTP. These could allow an attacker to execute commands on the host machine. GlimpseHTTP is an interface to the Glimpse search tool.

3210 WWW IIS View Source Attack

If a request to a Microsoft IIS server is formatted in a certain way, executable files are read instead of being executed. This can reveal executable scripts and sensitive database information including passwords. An attacker may be able to analyze these scripts for vulnerabilities. This signature triggers when a request is made to an HTTP server attempting to view the source.

3211 WWW IIS Hex View Source Attack

If a request to a Microsoft IIS server is formatted in a certain way, executable files are read instead of being executed. This can reveal executable scripts and sensitive database information including passwords. An attacker may be able to analyze these scripts for vulnerabilities. This signature triggers when a request is made to an HTTP server attempting to view the source.

3212 WWW NPH-TEST-CGI Attack

Triggers when an attempt is made to view directory listings with the script nph-test-cgi. Some HTTP servers include this script, which can be used to list directories on a server. It is a test script and should be removed on an operational server.

3213 WWW TEST-CGI Attack

Triggers when an attempt is made to view directory listings with the script test-cgi. Some HTTP servers contain this script, which can be used to list directories on a server. It is a test script and should be removed on an operational server.

3214 IIS DOT DOT VIEW Attack

Triggers on any attempt to view files above the chrooted directory using Microsoft's Internet Information Server. This can result in viewing files which were not intended to be publicly accessible. The chroot directory is supposed to be the topmost directory to which HTTP clients have access.

3215 IIS DOT DOT EXECUTE Attack

Triggers on any attempt to cause Microsoft's Internet Information Server to execute commands.

3216 IIS Dot Dot Crash Attack

This signature triggers when an attempt is made to crash a Microsoft IIS server by requesting a URL beginning with "../..".

3217 WWW php View File Attack

Triggers when someone attempts to use the PHP cgi-bin program to view a file. This may indicate an attempt to illegally access system resources.

3218 WWW SGI Wrap Attack

Triggers on any attempt to view or list files using the program called wrap. This was distributed with the IRIX Web Server.

3219 WWW PHP Buffer Overflow

Triggers when an oversized query is sent to the php cgi-bin program. This represents an attempt to overflow a buffer and gain system access.

3220 IIS Long URL Crash Bug

This triggers when a large URL has been passed to a web server in an attempt to crash the system.

3221 WWW cgi-viewsource Attack

Triggers when someone attempts to use the cgi-viewsource script to view files above the HTTP root directory.

3222 WWW PHP Log Scripts Read Attack

Triggers when someone attempts to use the PHP scripts mlog or mylog to view files on a machine.

3223 WWW IRIX cgi-handler Attack

Triggers when someone attempts to use the cgi-handler script to execute commands.

3224 HTTP WebGais

Triggers when someone attempts to use the webgais script to run arbitrary commands.

3225 HTTP Gais Websendmail

Triggers when someone attempts to use the script websendmail to read the password file on a machine.

3226 WWW Webdist Bug

Triggers when an attempt is made to use the webdist program.

3227 WWW Htmlscript Bug

Triggers when an attempt is made to view files above the html root directory.

3228 WWW Performer Bug

Triggers when an attempt is made to view files above the html root directory.

3229 Website Win-C-Sample Buffer Overflow

This signature triggers when an attempt is made to access the win-c-sample program distributed with WebSite servers.

3230 Website Uploader

This signature triggers when an attempt is made to access the uploader program distributed with WebSite servers.

3231 Novell convert

This signature triggers when a user has attempted to use the convert.bas program included with Novell's web server to illegally view files.

3232 WWW finger attempt

This signature triggers when an attempt is made to run the finger.pl program via the HTTP server.

3233 WWW count-cgi Overflow

This signature triggers when an attempt is made to overflow a buffer in the cgi Count program.

3250 TCP Hijack

Triggers when both streams of data within a TCP connection indicate that a TCP hijacking may have occurred. The current implementation of this signature does not detect all types of TCP hijacking and false positives may occur. Even when hijacking is discovered, little information is available to the operator other than the source and destination addresses and ports of the systems being affected. TCP hijacking may be used to gain illegal access to system resources.

3251 TCP Hijacking Simplex Mode

Triggers when both streams of data within a TCP connection indicate that a TCP hijacking may have occurred. The current implementation of this signature does not detect all types of TCP hijacking and false positives may occur. Even when hijacking is discovered, little information is available to the operator other than the source and destination addresses and ports of the systems being affected. TCP hijacking may be used to gain illegal access to system resources. Simplex mode means that only one command is sent, followed by a connection RESET packet, which makes recognition of this signature different from regular TCP hijacking (Signature ID 3250).

3300 NetBIOS OOB Data

Triggers when an attempt to send Out Of Band data to port 139 is detected. This can be used to crash Windows machines.

3301 NETBIOS Stat

Triggers when NBTSTAT is used. The Windows NT called `NBTSTAT' is used to display protocol statistics and current TCP/IP connections using NetBIOS. This application can be used list a remote machines name table. This tool allows an intruder to determine legitimate user names, the Windows Domain or Workgroup name, and many other facts useful in attacking a Windows network. There are UNIX tools available that perform the same function as NBTSTAT.

3302 NETBIOS Session Setup Failure

When a client connects to a SMB server (WinNT, Win95, Samba, etc.) a TCP connection to port 139 is established. The client then provides the server with its NetBIOS name and the NetBIOS name it wishes to connect to. If the name does not exist on the server, the session setup attempt fails and an error message is sent to the client. This could be an indicator of an attack.

3303 Windows Guest Login

When a client establishes an connection to an SMB server (WinNT or Samba), it provides an account name and password for authentication. If the server does not recognize the account name, it may log the user in as a guest. This is optional behavior by the server and guest privileges should be limited. As a general security precaution, users should not be allowed access as guest.

3304 Windows Null Account Name

When a client establishes an connection to an SMB server (WinNT or Samba), it provides an account name and password for authentication. This signature triggers when a null account name is passed during session establishment. There are some hacking tools available (Red Button and NAT) that use null account names.

3305 Windows Password File Access

This alarm occurs whenever a client attempts to access a `.PWL' file on the server. These files contain user passwords on Windows 95 and other systems. This represents an abnormal attempt to read or copy the .PWL file.

3306 Windows Registry Access

Triggers when a client attempts to access the registry on the Windows server. Microsoft tools like `REGEDIT' provide the ability to access a server's registry over the network. There are several hacking tools that also provide similar capabilities. Every attempted access will cause an alarm to be sent. An attacker can cause serious damage to a computer system by changing the registry.

3307 Windows Redbutton Attack

This alarm occurs when the Red Button tool is run against a server. The tool is designed to demonstrate the security flaw in Windows NT 4.0 that allows remote registry access without a valid user account. Although this flaw has been fixed with Microsoft's NT Service Pack 3, the tool may still be run against servers. A level five alarm shows the seriousness of this type of attack.

3400 Sunkill

Fires when someone attempts to cause the telnetd server to lock up. This will catch the program known as sunkill.

3450 Finger Bomb

This signature fires when it detects a finger bomb attack. This attack attempts to crash a finger server by issuing a finger request that contains multiple @'s. If the finger server allows forwarding, then the multiple @'s will cause the finger server to recursively call itself and use up system resources.

3500 Rlogin -froot Attack

Triggers when an attempt to rlogin with the arguments -froot has been made. A flaw in some rlogin processes allow unauthorized root access. Serious system compromise is possible.

3525 IMAP Authenticate Buffer Overflow

This signature triggers on receipt of packets bound for port 143 that are indicative of an attempt to overflow a buffer in the IMAP daemon. This may be the precursor to an attempt to gain unauthorized access to system resources.

3526 Imap Login Buffer Overflow

This signature triggers on receipt of packets bound for port 143 that are indicative of an attempt to overflow the imapd login buffer. This may be the precursor to an attempt to gain unauthorized access to system resources.

3550 POP Buffer Overflow

This signature triggers on receipt of packets bound for port 110 that are indicative of an attempt to overflow the POP daemon user buffer. This may be the precursor to an attempt to gain unauthorized access to system resources.

3575 INN Buffer Overflow

This signature triggers when an attempt is made to overflow a buffer in the Internet News Server.

3576 INN Control Message Exploit

This signature triggers when an attempt is made to execute arbitrary commands via the control message.

3600 IOS Telnet Buffer Overflow

This signature triggers on receipt of packets bound for port 23 of a Cisco router that are indicative of attempt to crash the router by overflowing an internal command buffer. This may be the precursor to an attempt to gain unauthorized access to system resources.

3601 IOS Command History Exploit

This signature triggers on an attempt to force a Cisco router to reveal prior users' command history.

3602 Cisco IOS Identity

This signature fires if someone attempts to connect to port 1999 on a Cisco router. This port is not enabled for access.

4000 UDP Packet

This set of signatures can be configured to trigger if certain UDP services are accessed. The services of interest can be specified in the sensord.conf or packetd.conf file.

4001 UDP Port Sweep

Triggers when a series of UDP connections to a number of different destination ports on a specific host have been initiated. This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack.

4002 UDP Flood

This triggers when a large number of UDP packets are directed at a host. This will fire when the Pepsi attack is launched across a protected boundary. This signature is also indicative of a UDP port sweep.

4050 UDP Bomb

Triggers when the UDP length specified is less than the IP length specified. This malformed packet type is associated with a denial of service attempt.

4051 Snork

This signature triggers when a UDP packet is seen with a source port of either 135, 7, or 19 and a destination port of 135 is detected.

4052 Chargen DoS

This signature triggers when a UDP packet is detected with a source port of 7 and a destination port of 19.

4053 Back Orifice

This signature fires when NetRanger detects traffic coming from a Back Orifice server that is running on the network. Back Orifice is a "backdoor" program that can be installed on a Microsoft Windows 95 or Windows 98 system, allowing remote control of the system.

4100 Tftp Passwd File

Triggers on an attempt to access the passwd file via TFTP. Indicative of an attempt to gain unauthorized access to system resources.

4150 Ascend Denial of Service

This signature triggers when an attempt has been made to send a maliciously malformed command to an Ascend router in an attempt to crash the router.

4600 IOS UDP Bomb

This signature triggers on receipt of improperly formed SYSLOG transmissions bound for UDP port 514.

6001 Normal SATAN Probe

This is a supersignature that is triggered when a port sweep pattern produced by the SATAN tool is detected. This signature is tuned to detect SATAN being run in normal mode. Other types of attack activity similar to SATAN may also cause this signature to be generated. This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack.

6002 Heavy SATAN Probe

This is a supersignature that is triggered when a port sweep pattern produced by the SATAN tool is detected. This signature is tuned to detect SATAN being run in heavy mode. Other types of attack activity similar to SATAN may also cause this signature to be generated. This is indicative that a reconnaissance sweep of your network may be in progress. This may be the prelude to a more serious attack.

6050 DNS HINFO Request

Triggers on an attempt to access HINFO records from a DNS server. The Domain Name Service (DNS) includes an optional record type that allows for system information to be recorded and retrieved. This information typically includes the OS and hardware platform that the system is running on. There is very little utility in including this record in the database, and it provides attackers with valuable targeting information. It is suggested that this record not be included in your DNS database for this reason. This is indicative that your network may be under reconnaissance.

6051 DNS Zone Transfer

Triggers on normal DNS zone transfers, in which the source port is 53. Zone transfers are the method by which secondary DNS servers update their DNS records. All DNS records are transferred at once from the primary to secondary server. This transfers records only for the zone specified. This is indicative that your network may be under reconnaissance.

6052 DNS Zone Transfer from High Port

Triggers on an illegitimate DNS zone transfer, in which the source port is not equal to 53. Zone transfers are the method by which secondary DNS servers update their DNS records. All DNS records are transferred at once from the primary to secondary server. This transfers records only for the zone specified. The access method may indicate that your network is under reconnaissance. This may be the prelude to more serious attacks.

6053 DNS Request for All Records

Triggers on a DNS request for all records. Similar to a zone transfer in that it provides a method for transferring DNS records from a server to another requesting host. The primary difference is that all DNS records are transferred not just those specific to a particular zone. This is indicative that your network may be under reconnaissance.

6100 RPC Port Registration

Triggers when attempts are made to register new RPC services on a target host. Port registration is the method used by new services to report to the portmapper that they are present and to gain access to a port, this is then advertised by the portmapper. This should not be allowed from a remote host. No known exploit of this function exists. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

6101 RPC Port Unregistration

Triggers when attempts are made to unregister existing RPC services on a target host. Port unregistration is the method used by services to report to the portmapper that they are no longer present and to remove them from the active port map. This should not be allowed from a remote host. No known exploit of this function exists. This does not preclude the possibility that exploits do exist outside of the realm of Cisco Systems' knowledge domain.

6102 RPC Dump

Triggers when an RPC dump request is issued to a target host. This is a procedure that may be used to determine the presence and port location of RPC services being provided by a system. Indicative that your network may be under reconnaissance.

6103 Proxied RPC Request

Triggers when a proxied RPC request is sent to the portmapper of a target host. A method for requesting RPC services by having the portmapper act as your proxy. This may be indicative of an attempt to gain unauthorized access to system resources and should not be allowed from hosts outside your network.

6110 RPC RSTATD Sweep

Triggers when RPC requests are made to many ports for the RSTATD program.

6111 RPC RUSERSD Sweep

Triggers when RPC requests are made to many ports for the RUSERSD program.

6112 RPC NFS Sweep

Triggers when RPC requests are made to many ports for the NFS program.

6113 RPC MOUNTD Sweep

Triggers when RPC requests are made to many ports for the MOUNTD program.

6114 RPC YPPASSWDD Sweep

Triggers when RPC requests are made to many ports for the YPPASSWDD program.

6115 RPC SELECTION_SVC Sweep

Triggers when RPC requests are made to many ports for the SELECTION_SVC program.

6116 RPC REXD Sweep

Triggers when RPC requests are made to many ports for the REXD program.

6117 RPC STATUS Sweep

Triggers when RPC requests are made to many ports for the STATUS program.

6118 RPC ttdb Sweep

This signature triggers on an attempt to access the tooltalk database daemon on multiple ports on a single host.

6150 ypserv Portmap Request

Triggers when a request is made to the portmapper for the YP server daemon (ypserv) port. The ypserv daemon is responsible for looking up information maintained in NIS maps. This may be indicative of an attempt to gain unauthorized access to system resources.

6151 ypbind Portmap Request

Triggers when a request is made to the portmapper for the YP bind daemon (ypbind) port. The ypbind daemon is responsible for maintaining the information needed for a client process to communicate with a ypserv process. This may be indicative of an attempt to gain unauthorized access to system resources.

6152 yppasswdd Portmap Request

Triggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port. The YP password daemon allows users to remotely modify password files. This may be indicative of an attempt to gain unauthorized access to system resources.

6153 ypupdated Portmap Request

Triggers when a request is made to the portmapper for the YP update daemon (ypupdated) port. The YP update daemon is responsible for updating local NIS maps. This may be indicative of an attempt to gain unauthorized access to system resources.

6154 ypxfrd Portmap Request

Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port. The YP transfer daemon is responsible for transferring NIS information on behalf of ypserv. This may be indicative of an attempt to gain unauthorized access to system resources.

6155 mountd Portmap Request

Triggers when a request is made to the portmapper for the mount daemon (mountd) port. This is the NFS daemon that is responsible for processing mount requests. This may be indicative of an attempt to gain unauthorized access to system resources.

6175 rexd Portmap Request

Triggers when a request is made to the portmapper for the remote execution daemon (rexd) port. The remote execution daemon is the server responsible for remote program execution. This may be indicative of an attempt to gain unauthorized access to system resources.

6180 rexd Attempt

Triggers when a call to the rexd program is made. The remote execution daemon is the server responsible for remote program execution. This may be indicative of an attempt to gain unauthorized access to system resources.

6190 statd Buffer Overflow

Triggers when a large statd request is sent. This could be an attempt to overflow a buffer and gain access to system resources.

6191 RPC.tooltalk buffer overflow

This signature fires when an attempt is made to overflow an internal buffer in the tooltalk rpc program.

6192 RPC mountd Buffer Overflow

This signature triggers on an attempt to overflow a buffer in the RPC mountd application. This may result in unauthorized access to system resources.

6200 Ident Buffer Overflow

Triggers when a server returns an IDENT reply that is too large. This may be indicative of an attempt to gain unauthorized access to system resources.

6201 Ident Newline

Triggers when a server returns an IDENT reply that includes a newline followed by more data. This may be indicative of an attempt to gain unauthorized access to system resources.

6202 Ident Improper Request

Triggers when a clients IDENT request is too long or specifies non-existent ports. This may be indicative of an attempt to gain unauthorized access to system resources.

6250 FTP Authorization Failure

Triggers when a user has failed to authenticate three times in a row, while trying to establish an FTP session. This may be indicative of a brute force password guessing attempt, and may be viewed as an attempt to gain unauthorized access to system resources.

6251 Telnet Authorization Failure

Triggers when a user has failed to authenticate three times in a row, while trying to establish a Telnet session. This may be indicative of a brute force password guessing attempt, and may be viewed as an attempt to gain unauthorized access to system resources.

6252 Rlogin Authorization Failure

Triggers when a user has failed to authenticate three times in a row, while trying to establish an rlogin session. This may be indicative of a brute force password guessing attempt, and may be viewed as an attempt to gain unauthorized access to system resources.

6253 POP3 Authorization Failure

Triggers when a user has failed to authenticate three times in a row, while trying to establish a POP3 session. This may be indicative of a brute force password guessing attempt, and may be viewed as an attempt to gain unauthorized access to system resources.

6255 SMB Authorization Failure

This alarm triggers when a client fails Windows NT's (or Samba's) user authentication three or more consecutive times within a single SMB session. This indicates that the user does not have a valid account name or password, the user has forgotten the password, or a password guessing attack like NAT is being used against the server. This alarm will also trigger on multiple failures to access a Windows 95 share. Share level access disregards the provided username and only uses the provided password.

6300 Loki ICMP Tunnelling

Loki is a tool designed to run an interactive session that is hidden within ICMP traffic. An attacker needs to first gain root on a system, but can then set up a Loki server (lokid) as a backdoor. This can provide future command line access hidden as ICMP traffic, which can be encrypted. This signature will fire if the original Loki that was distributed in Phrack Issue 51 is implemented.

6302 General Loki ICMP Tunneling

Loki is a tool designed to run an interactive session that is hidden within ICMP traffic. An attacker needs to first gain root on a system, but can then set up a Loki server (lokid) as a backdoor. This can provide future command line access hidden as ICMP traffic, which can be encrypted. This signature will trigger on Loki even if certain user-configurable options have been modified.

8000 FTP Retrieve Password File

SubSignature ID: 2101

Triggers on string `passwd' issued during an FTP session. May indicate someone attempting to retrieve the password file from a machine in order to crack it and gain unauthorized access to system resources.

8000 Telnet-IFS Match

SubSignature ID: 2301

Triggers when an attempt to change the IFS to / is done during a Telnet session. This may be indicative of an attempt to gain unauthorized access to system resources.

8000 Telnet-/etc/shadow Match

SubSignature ID: 2302

Triggers on string `/etc/shadow' issued during a Telnet session. This may be indicative of an attempt to gain unauthorized access to system resources.

8000 Telnet-+ +

SubSignature ID: 2303

Triggers on string `+ +' issued during a Telnet session.

8000 Rlogin-IFS Match

SubSignature ID: 51301

Triggers when an attempt to change the IFS to / is done during a rlogin session. This may be indicative of an attempt to gain unauthorized access to system resources.

8000 Rlogin-/etc/shadow Match

SubSignature ID: 51302

Triggers on string `/etc/shadow' issued during a rlogin session. This may be indicative of an attempt to gain unauthorized access to system resources.

8000 Rlogin-+ +

SubSignature ID: 51303

Triggers on string `+ +' issued during a rlogin session.

10000 IP-Spoof Interface 1

SubSignature ID: 1000

Triggers on notification from the NetSentry device that an IP datagram has been received in which an IP address that is behind the router has been used as a source address in front of the router. This may be indicative of an attempt to gain unauthorized access to system resources.

10000 IP-Spoof Interface 2

SubSignature ID: 1001

Triggers on notification from the NetSentry device that an IP datagram has been received in which an IP address that is behind the router has been used as a source address in front of the router. This may be indicative of an attempt to gain unauthorized access to system resources.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Wed Jul 19 15:22:51 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.