IPS50SL07

Lesson 7
Describing Signature
Engines
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-1

Signature Engines

Signature Engine Overview
• A Signature Engine is a component of the sensor

that supports a category of signatures.
• The Cisco IPS Signature Engines enable you to
tune built-in signatures and create new signatures
unique to your network environment.

Engine Usage
Engine Category Usage
Atomic Used for single-packet inspection
Flood Used to detect attempts to cause a DoS
Meta Used to perform event correlation on the sensor
Normalizer Used to detect ambiguities and abnormalities in the traffic stream

Engine Usage (Cont.)
Service Used when Layer 5, 6, and 7 services require protocol analysis
Used for state-based and regular expression–based pattern inspection

State
and alarming functionality for TCP streams
Used for regular expression–based pattern inspection and alarm

String
functionality for multiple transport protocols

Engine Usage (Cont.)
Sweep Used to detect network reconnaissance
Traffic Used to detect traffic irregularities
Trojan Used to inspect nonstandard protocols
AIC Used for deep-packet inspection of FTP and HTTP traffic

Engine Parameters
• An engine parameter is a name and value pair.

• The parameter name is defined by its engine.
• Parameter values have limits that are defined by
the engine.
• The parameter name is constant across all
signatures in a particular engine, but the value can
be different for the various signatures in an engine
group.
• Some parameters are common to all engines while
others are engine-specific.

Atomic Signature Engines

Atomic Signature Engines
Engine Name Engine Description
Atomic ARP Examines ARP packets
Atomic IP Examines ICMP, IP, TCP, and UDP packets

Atomic ARP Parameters
Specify
Type of
ARP Sig
Specify
Request
Inbalance
Storage
Key

Atomic IP Parameters
Fragment
Status: Not
Fragmented
Layer 4
Specify Protocol:
Layer 4 TCP Protocol
Protocol
TCP
Flags:
SYN
TCP
Mask:
Syn, Ack
Specify
Payload
Inspection

Flood Signature Engines

Flood Signature Engines
Looks for an excessive number of packets sent to a

Flood Net
network segment
Looks for an excessive number of ICMP or UDP packets

Flood Host
sent to a target host

Flood Net Parameters
Gap
Peaks
Rate
Protocol

Flood Host Parameters
Rate: 25
Protocol: ICMP
ICMP Type: 8

Meta Signature Engine

The Meta Event Generator
Meta Reset Interval = 3 seconds
Signature 5081 Signature 5124 Signature 5114 Signature 3215 Signature 3216
cmd.exe Access IIS CGI Decode IIS Unicode Attack Dot Dot Execute Dot Dot Crash
NIMDA
Signature 5081+5124+5114+3215+3216 = NIMDA

If the five signatures fire within a three-second interval, the meta signature, NIMDA, fires.

Meta Engine Parameters
Meta Reset
Interval
Component
List
Component
List in Order

Normalizer Signature
Engine

Normalizer Engine
• The normalizer engine detects and corrects

ambiguities and abnormalities in traffic as packets
flow through the data path.
• The traffic the normalizer engine inspects is
guaranteed unambiguous because it is normalized
before it is inspected.
• The normalizer engine performs such functions as
the following:
– Properly sequencing packets in a TCP stream
– Reassembling fragmented IP packets

Normalizer Engine Parameters
Specify
Fragment
Reassembly
Timeout
Fragment
Specify Reassembly
Hijack Max Timeout
Old ACK
Max Old
ACK
Specify SYN
Flood Max
Embryonic SYN Flood
Max
Embryonic

Service Signature
Engines

Service Signature Engines
Service DNS Examines TCP and UDP DNS packets
Service FTP Examines FTP traffic
Emergency response engine that supplements the string

Service Generic
and state engines
Service H225 Examines the call signaling and setup in VoIP traffic
Service HTTP Examines HTTP traffic for string-based pattern matching
Service IDENT Examines TCP port 113 traffic
Service MSRPC Examines Microsoft RPC traffic

Service Signature Engines (Cont.)
Service MSSQL Examines traffic used by Microsoft SQL
Service NTP Examines NTP traffic
Service RPC Examines RPC traffic
Service SMB Examines SMB traffic
Service SNMP Examines SNMP traffic
Service SSH Examines SSH traffic

Service DNS Parameters
Protocol
Specify Query
Src Port 53
Query Src
Port 53
Specify
Query
Value Query
Value

Service FTP Parameters
Direction
Service Ports
Swap
Attacker
Victim

Service Generic Parameters
Specify
Dst Port
Dst Port
Specify
Payload Payload
Source Source

H.323 Calls and the Service H225 Engine
Gatekeeper
H.
)
DP
22
5
(U
RA
S
RA
S
IP QoS Network
(U
5
DP
22
H.
)
H.225 (Q.931) Call Setup (TCP)
Gateway A Gateway B
QoS=quality of service
RAS=registration, admission, and status

Service H225 Engine
Service H225 engine features:

• TPKT validation and length checking
• Q.931 IE validation and length checking
• Setup message validation
• ASN.1 PER encode error checking
• Regex signatures for text fields in Q.931 IEs
• Signatures that provide regex and length checking
for fields such as URL-ID and e-mail-ID

Service H225 Parameters
Message
Type:
Q.931
Policy
Type:
Length
Check Value
Range:
Specify Value 1-3
Range: Yes

Service HTTP Parameters
De-Obfuscate
Specify Request
Regex
Request Regex
Service Ports

Service Ident Parameters
Inspection
Type
Service Ports
Direction

Service MSRPC Parameters
Protocol
Regex
String

Service MSSQL Parameters
Specify SQL
Username
SQL Username
Password Present

Service NTP Parameters
Inspection Type
Operation Mode
Max Control Data Size
Control Opcode

Service RPC Parameters
Direction
Protocol
Service
Ports
Specify
RPC RPC
Program Program

Service SMB Parameters
Service
Ports
Specify
Word
Count
Word
Count

Service SNMP Parameters
Inspection Type Specify Object ID
Specify Community Name
Community Name

Service SSH Parameters
Length Type
Service Ports
Specify Packet Depth
Packet Depth

State Signature Engine

State Signature Engine
State
Machine
Direction
Service
Ports

String Signature Engines

String Signature Engines
String ICMP Searches ICMP packets for a string pattern
String TCP Searches TCP packets for a string pattern
String UDP Searches UDP packets for a string pattern

String ICMP Parameters
Direction
ICMP
Type

String TCP Parameters
Service
Ports
Direction

String UDP Parameters
Service
Ports
Direction

Sweep Signature Engines

Sweep Signature Engines
Detects a single source scanning multiple hosts or

Sweep
multiple ports on one host
Sweep Other TCP Detects odd sweeps and scans such as Queso

Sweep Engine
• The sweep engine controls the following types of

signatures:
– ICMP
– TCP
– UDP
• Signatures controlled by the sweep engine detect
the following types of sweeps:
– Host sweeps
– Port sweeps
– Service sweeps

Sweep Engine Parameters
Unique
Protocol
Mask
TCP
Flags
Specify Storage
Port Key
Range
Port
Range

Sweep Other TCP Engine
• The sweep other TCP Signature Engine supports

signatures that fire when a mixture of TCP packets
with different flags set is detected on the network.
• The sweep other TCP engine does not do Unique
counting like the SWEEP Signature Engine.

Sweep Other TCP Parameters
TCP
Flags

Traffic and Trojan
Signature Engines

Trojan Signature Engines
Examines UDP and TCP traffic for nonstandard

Trojan BO2K
BackOrifice traffic
Examines UDP, TCP, or ICMP traffic for irregular traffic

Trojan TFN2K
patterns and corrupted headers
Trojan UDP Examines UDP traffic for Trojan attacks

Trojan Parameters
TCP
Flags

Traffic ICMP Parameters
Inspection Type
Want Request
Reply Ratio

AIC Signature Engines

AIC Signature Engines
AIC FTP Used for FTP-specific policy enforcement
AIC HTTP Used for HTTP-specific policy enforcement

Enabling Application Policy Enforcement
Configuration Application
Policy
Enable
HTTP
Max HTTP
Requests
AIC Web
Signature Ports
Definition
Enable
FTP
Miscellaneous

AIC FTP Engine
• Capabilities of the AIC FTP engine:

– Controls which recognized FTP commands are
permitted into the network
– Controls whether unrecognized FTP commands
are permitted into the network
• The AIC FTP engine controls the following types of
signatures:
– Define FTP command: Used to associate an
action with a specific FTP command
– Unrecognized FTP command: Used to have the
sensor take an action when it detects an FTP
command that is not recognized
AIC FTP Parameter Example
Selected
Engine:
AIC FTP
Unrecognized
FTP command
Enable

AIC HTTP Engine Capabilities
• Enforcing RFC compliance

• Authorizing and enforcing HTTP request methods
• Validating response messages
• Enforcing MIME types
• Validating transfer encoding types
• Controlling content based on message content and
type of data being transferred
• Enforcing URI length
• Enforcing message size according to policy
configured and the header
• Enforcing tunneling, P2P, and instant messaging
AIC HTTP Signatures
The AIC HTTP engine controls the following types of

signatures:
• Define Web Traffic Policy: Used to specify whether traffic
not compliant to the HTTP RFC is allowed into the
protected network through web ports
• Content Type: Used for policies associated with MIME
types
• Msg Body Pattern: Used to define patterns the sensor
should look for in an HTTP message
• Request Methods: Used to define policies associated with
HTTP request methods
• Transfer Encodings: Used to define policies associated
with transfer encoding methods
• Max Outstanding Requests Overrun: Used to have the
sensor take an action when the Max HTTP Requests value
is exceeded
AIC HTTP Parameter Example
Selected Engine:
AIC HTTP
Content Type
image/gif

AIC HTTP Parameter Example (Cont.)
Event Action
Signature Type
Content Types
Name
Content
Type Details

Summary

Summary
• A Signature Engine is a component of the sensor

that supports a category of signatures.
• Each Signature Engine is designed for a specific
type of traffic.
• Each engine has a set of parameters that helps
define the behavior of the signatures controlled by
the engine.
• Parameters can be modified so that signatures
meet the needs of your network environment.
• Cisco IDS signatures can summarize alarms to
reduce the number of single alarms generated.

IPS50SL07

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPS50SL07

Uploaded by

Copyright:

Available Formats

Lesson 7

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-1

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-2

• A Signature Engine is a component of the sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-3

Engine Category Usage

Atomic Used for single-packet inspection

Flood Used to detect attempts to cause a DoS

Meta Used to perform event correlation on the sensor

Normalizer Used to detect ambiguities and abnormalities in the traffic stream

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-4

Engine Category Usage

Service Used when Layer 5, 6, and 7 services require protocol analysis

Used for state-based and regular expression–based pattern inspection

Used for regular expression–based pattern inspection and alarm

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-5

Engine Category Usage

Sweep Used to detect network reconnaissance

Traffic Used to detect traffic irregularities

Trojan Used to inspect nonstandard protocols

AIC Used for deep-packet inspection of FTP and HTTP traffic

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-6

• An engine parameter is a name and value pair.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-7

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-8

Engine Name Engine Description

Atomic ARP Examines ARP packets

Atomic IP Examines ICMP, IP, TCP, and UDP packets

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-9

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-10

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-11

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-12

Engine Name Engine Description

Looks for an excessive number of packets sent to a

Looks for an excessive number of ICMP or UDP packets

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-13

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-14

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-15

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-16

Meta Reset Interval = 3 seconds

Signature 5081+5124+5114+3215+3216 = NIMDA

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-17

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-18

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-19

• The normalizer engine detects and corrects

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-20

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-21

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-22

Engine Name Engine Description

Service DNS Examines TCP and UDP DNS packets

Service FTP Examines FTP traffic

Emergency response engine that supplements the string

Service HTTP Examines HTTP traffic for string-based pattern matching

Service IDENT Examines TCP port 113 traffic

Service MSRPC Examines Microsoft RPC traffic

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—7-23

Engine Name Engine Description

Service MSSQL Examines traffic used by Microsoft SQL

Service NTP Examines NTP traffic

Service RPC Examines RPC traffic

Service SMB Examines SMB traffic

Service SNMP Examines SNMP traffic

Service SSH Examines SSH traffic