Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : The SERVICE Micro-Engine

The SERVICE Micro-Engine

Nov 24,2008 by admin

small font medium font large font
image

The SERVICE Micro-Engine

Of all the different service micro-engines (see Table 7.5), SERVICE.DNS and SERVICE.RPC are two of the more important engines. SERVICE works at layer 5 and above to analyze traffic between two hosts. Service engine signatures are one-to-one signatures that interpret the payloads similar to the way the live services would interpret them. The result of the interpretation is the decoded fields of the protocol used in comparison against the signatures. These engines only decode enough of the data to make comparisons. Once a comparison can be made, the alarm is triggered and keeps resource utilization to a minimum.

Table 7.5: Service Micro-Engines

SERVICE.DNS

Analyzes the DNS service.

SERVICE.FTP

FTP service special decode alarms.

SERVICE.GENERIC

Custom service/payload decode. For expert use only.

SERVICE.HTTP

HTTP protocol decode-based string engine.

Includes anti-evasive URL deobfuscation.

SERVICE.IDENT

IDENT service (client and server) alarms.

SERVICE.MSSQL

Microsoft SQL service inspection engine.

SERVICE.NTP

Network Time Protocol–based signature engine.

SERVICE.RPC

Analyzes the RPC service.

SERVICE.SMB

SMB SuperInspector signatures.

SERVICE.SMTP

Inspects SMTP protocol.

SERVICE.SNMP

Inspects SNMP traffic.

SERVICE.SSH

SSH header decode signatures.

SERVICE.SYSLOG

Processes SYSLOGS.

The SERVICE.DNS micro-engines specialize in traffic on both TCP (see Figure 7.9) and UDP (see Figure 7.10) port 53. Port 53 is the standard port for DNS traffic. The SERVICE.DNS does not have any required parameters, but for full coverage on DNS, you must specify TCP or UDP. Other than that necessity, the engine is open for full customization of the signatures.

Start Figure
Selection> 10
   
        6050   (SubSig 1) DNS HINFO-TCP :
        6051   (SubSig 1) DNS Zone Xfer-TCP :
        6052   (SubSig 1) DNS High Zone Xfer-TCP :
        6053   (SubSig 1) DNS Request All-TCP :
        6054   (SubSig 1) DNS Version Request-TCP :
        6055   (SubSig 1) DNS IQUERY Overflow-TCP :
        6055   (SubSig 2) DNS IQUERY Overflow-TCP :
        6056   (SubSig 1) DNS NXT OVerflow-TCP :
        6056   (SubSig 2) DNS NXT OVerflow-TCP :
        6057   (SubSig 1) DNS SIG Overflow-TCP :
        6057   (SubSig 2) DNS SIG Overflow-TCP :
        6058   (SubSig 1) DNS SRV DoS-TCP :
        6059   (SubSig 2) DNS TSIG Overflow-TCP :
        6060   (SubSig 2) DNS Complain Overflow-TCP :
        6060   (SubSig 3) DNS Complain Overflow-TCP :
        6061   (SubSig 1) DNS Infoleak-TCP :
        6062   (SubSig 1) DNS Authors Request-TCP :
        6063   (SubSig 1) DNS Incremental Zone Transfer-TCP :
   
(Sig Number to EDIT) or (ENTER to CONTINUE) >
End Figure

Figure 7.9: SigWizMenu Option 10 SERVICE.DNS.TCP
Start Figure
 
Selection> 11
   
6050  (SubSig 0)  DNS HINFO-UDP :
6051  (SubSig 0)  DNS Zone Xfer-UDP :
6052  (SubSig 0)  DNS High Zone Xfer-UDP :
6053  (SubSig 0)  DNS Request All-UDP :
6054  (SubSig 0)  DNS IQUERY Overflow-UDP :
6055  (SubSig 0)  DNS NXT Overflow-UDP :
6056  (SubSig 0)  DNS SIG Overflow-UDP :
6057  (SubSig 0)  DNS SRV DoS-UDP :
6058  (SubSig 0)  DNS TSIG Overflow-UDP :
6059  (SubSig 1)  DNS TSIG Overflow-UDP :
6060  (SubSig 0)  DNS Complain Overflow-UDP :
6060  (SubSig 1)  DNS Complain Overflow-UDP :
6061  (SubSig 0)  DNS Infoleak-UDP :
6062  (SubSig 0)  DNS Authors Request-UDP :
6063  (SubSig 0)  DNS Incremental Zone Transfer-UDP :
6064  (SubSig 0)  BIND Large OPT Record DoS : Large OPT
   
(Sig Number to EDIT) or (ENTER to CONTINUE) >
End Figure

Figure 7.10: SigWizMenu Option 11 SERVICE.DNS.UDP

Note 

You need to add UDP and TCP signatures to have full coverage.

The SERVICE.RPC engine decoder has full decode as an anti-evasive strategy. It handles fragmented messages or batch messages. The RPC port mapper operates on port 111. Regular RPC messages are on any port greater than 550. RPC sweeps are very similar to TCP port sweeps with one exception: they only count unique ports when valid RPC messages are sent. One other unique characteristic of the SERVICE.RPC engine is they segregate on each RPC program type for sweep unique counting. In other words, counting occurs on an individual program basis. Figure 7.11 shows the signatures that fall into this category.

Start Figure
Selection> 13
   
6180  (SubSig 0)  rexd Attempt :
6190  (SubSig 0)  statd Buffer Overflow :
6191  (SubSig 0)  ttdbserverd Buffer Overflow :
6192  (SubSig 0)  mountd Buffer Overflow :
6193  (SubSig 0)  cmsd Buffer Overflow :
6194  (SubSig 0)  sadmind Buffer Overflow :
6195  (SubSig 0)  amd Buffer Overflow :
6196  (SubSig 0)  snmpXdmid Buffer Overflow :
6197  (SubSig 0)  rpc yppaswdd overflow : yppaswdd overflow
6198  (SubSig 0)  Long rwalld Message : rwalld String Format
6199  (SubSig 0)  cachefsd overflow : cachfsd overflow
6275  (SubSig 0)  SGI fam Attempt : Fam Attempt
6276  (SubSig 0)  TooltalkDB overflow : TooltalkDB overflow
6277  (SubSig 0)  Show Mount Recon : Show Mount Recon
6277  (SubSig 0)  Show Mount Recon : Show Mount All Recon
   
(Sig Number to EDIT) or (ENTER to CONTINUE) >
End Figure

Figure 7.11: SigWizMenu Option 13 SERVICE.RPC

439 times read

Related news
» The STRING Micro-Engine
by admin posted on Nov 24,2008
» The ATOMIC Micro-Engines
by admin posted on Nov 24,2008
» The FLOOD Micro-Engine
by admin posted on Nov 24,2008
» The SWEEP Micro-Engine
by admin posted on Nov 24,2008
» Cisco IDS Signature Micro-Engines
by admin posted on Nov 24,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.