 Sections
 Syndication |
|
|
Blogroll:
||||| ALL Cisco-Network ARTICLES |||||
CCIE Journey, The CCIE Journey,
|
|
The SWEEP Micro-Engine
The SWEEP Micro-Engine
All of the SWEEP signatures alarm conditions depend on the
count of the Unique parameter. Unique is the threshold
parameter that causes the signature to fire the alarm when more than the
configured "Unique" number of ports and hosts is seen on the address set within
the time period. This process, tracking unique port/host traffic, is referred to
as counting. In order for traffic to be put into the counting section, other
parameters such as Mask/TcpFlags, IcmpType, WantFrag Boolean, and/or the UDP
ports. If the packet conditions are not met and the sweep occurs, review the
settings for these parameters and tune as necessary.
The SWEEP micro-engines include the following types.
SWEEP.HOST.*
The SWEEP.HOST.* micro-engines analyze traffic from a single
host to many hosts, particularly ICMP and TCP. The two micro-engines are
SWEEP.HOST.ICMP and SWEEP.HOST.TCP (see Figures 7.17 and 7.18).
The signatures fire when the Unique count of host exceeds the configured
setting. Examples of these signature are
-
2100-ICMP Network Sweep w/Echo Fires when IP datagrams are received directed at multiple hosts
on the network with the protocol field of the IP header set to 1 (ICMP) and the
type field in the ICMP header set to 8 (Echo Request). Alarm level 3.
-
2101-ICMP Network Sweep w/Timestamp Fires
when IP datagrams are received directed at multiple hosts on the network with
the protocol field of the IP header set to 1 (ICMP) and the type field in the
ICMP header set to 13 (Timestamp Request). Alarm level 5.
-
2102-ICMP Network Sweep w/Address
Mask Fires when IP datagrams are received directed at multiple hosts on the
network with the protocol field of the IP header set to 1 (ICMP) and the type
field in the ICMP header set to 17 (Address Mask Request). Alarm level 5.
-
3030-TCP SYN Host Sweep Fires when a
series of TCP SYN packets have been sent to the same destination port on a
number of different hosts. Alarm level 2.
-
3031-TCP FRAG SYN Host Sweep Fires when a
series of fragmented TCP SYN packets have been sent to the same destination port
on a number of different hosts. Alarm level 5.
-
3032-TCP FIN Host Sweep Fires when a
series of TCP FIN packets have been sent to the same destination port on a
number of different hosts. Alarm level 5.
-
3033-TCP FRAG FIN Host Sweep Fires when a
series of TCP FIN packets have been sent to the same destination port on a
number of different hosts. Alarm level 5.
-
3034-TCP NULL Host Sweep Fires when a
series of TCP packets with none of the SYN, FIN, ACK, or RST flags set have been
sent to the same destination port on a number of different hosts. Alarm level
5.
-
3035-TCP FRAG NULL Host Sweep Fires when
a series of fragmented TCP packets with none of the SYN, FIN, ACK, or RST flags
set have been sent to the same destination port on a number of different hosts.
Alarm level 5.
-
3036-TCP SYN FIN Host Sweep Fires when a series of TCP packets with both the SYN and FIN flag
sets have been sent to the same destination port on a number of different hosts.
Alarm level 5.
-
3037-TCP FRAG SYN FIN Host Sweep Fires
when a series of TCP packets with both the SYN and FIN flag sets have been sent
to the same destination port on a number of different hosts. Alarm level
5.
Table 7.14 shows the configurable parameters for
SWEEP.HOST.ICMP signatures.
Table 7.14: SWEEP.HOST.ICMP Parameters
|
Parameter |
Data Type |
Protected |
Required |
Description |
|
Master parameters |
|
|
|
Refer to Table 7.1 for the master parameters. |
|
IcmpType |
Number |
No |
Yes |
ICMP header type of interest. |
|
Unique |
Number 2–40 |
No |
Yes |
Maximum Unique connections to the
target. |
Table 7.15 shows the configurable parameters for
SWEEP.HOST.TCP signatures.
Table 7.15: SWEEP.HOST.TCP Parameters
|
Parameter |
Data Type |
Protected |
Required |
Description |
|
Master parameters |
|
|
|
Refer to Table 7.1 for the master parameters. |
|
Mask |
BITSET: FIN/SIN/RST/ PSH/ACK/URG |
No |
Yes |
Mask used for TcpFlags comparison. |
|
TcpFlags |
BITSET: FIN/SIN/RST/ PSH/ACK/URG |
Yes |
Yes |
TCP used tomatch when masked by the Mask
parameter. |
|
Unique |
Number 2–40 connections to the target. |
No |
Yes |
Maximum Unique |
SWEEP.PORT.*
The SWEEP.PORT.* micro-engines analyze the traffic between
two specific hosts and ports. Like the SWEEP.HOST.* engines, SWEEP.PORT.*
engines count unique port connections between the hosts. The two micro-engines
that fall into this category are SWEEP.PORT.TCP and SWEEP.PORT.UDP (see Figures
7.19 and 7.20). The signatures fire when the Unique count of
port connections exceeds the configured setting. At this time, there are only 14
signatures total in these two micro-engines. They are
-
3001-TCP Port Sweep Fires when a series
of TCP connections to a number of different privileged ports (port number <
1024) on a specific host have been initiated. Alarm level 4.
-
3002-TCP SYN Port Sweep Fires when a
series of TCP SYN packets have been sent to a number of different destination
ports on a specific host. Alarm level 3.
-
3003-TCP Frag SYN Port Sweep Fires when a series of fragmented TCP SYN packets are sent to
several different destination ports on a specific host. Alarm level 5.
-
3005-TCP FIN Port Sweep Fires when a
series of TCP FIN packets have been sent to a number of different privileged
ports (port number < 1024) on a specific host. Alarm level 5.
-
3006-TCP Frag FIN Port Sweep Fires when a
series of fragmented TCP FIN packets have been sent to several different
privileged ports (having port number less than 1024) destination ports on a
specific host. Alarm level 5.
-
3010-TCP High Port Sweep Fires when a
series of TCP connections to several different high-numbered ports (port number
> 1023) on a specific host have been initiated. Alarm level 0.
-
3011-TCP FIN High Port Sweep Fires when a
series of TCP FIN packets have been sent to several different destination
high-numbered ports (having port number greater than 1023) on a specific host.
Alarm level 5.
-
3012-TCP Frag FIN High Port Sweep Fires
when a series of fragmented TCP FIN packets have been sent to several different
destination high-numbered ports (port number > 1023) on a specific host.
Alarm level 5.
-
3015-TCP Null Port Sweep Fires when a
series of TCP packets with none of the SYN, FIN, ACK, or RST flag sets have been
sent to several different destination ports on a specific host. Alarm level
5.
-
3016-TCP Frag Null Port Sweep Fires when
a series of fragmented TCP packets with none of the SYN, FIN, ACK, or RST flag
sets have been sent to several different destination ports on a specific host.
Alarm level 5.
-
3020-TCP SYN FIN Port Sweep Fires when a
series of TCP packets with both the SYN and FIN flag sets have been sent to
several different destination ports on a specific host. Alarm level 5.
-
3021-TCP Frag SYN FIN Port Sweep Fires
when a series of fragmented TCP packets with both the SYN and FIN flags set have
been sent to several different destination ports on a specific host. Alarm level
5.
-
4001-UDP Port Sweep Fires
when a series of UDP connections to several different destination ports on a
specific host have been initiated. This is an indicator of a reconnaissance
sweep of your network. Be wary of potentially more serious attacks. Alarm level
0.
-
4003-Nmap UDP Port Sweep Fires when a
series of UDP connections to several different privileged ports (port number
< 1024) on a specific host have been initiated. This is an indicator of a
reconnaissance sweep of your network. Be wary of potentially more serious
attacks. Alarm level 5
Table 7.16 shows the configurable parameters for
SWEEP.PORT.TCP signatures.
Table 7.16: SWEEP.PORT.TCP Parameters
|
Parameter |
Data Type |
Protected |
Required |
Description |
|
Master parameters |
|
|
|
Refer to Table 7.1 for the master parameters. |
|
InvertedSweep |
Boolean: True/False |
No |
NO |
Parameter to force the sensor to compare the signature
against traffic to the source port instead of the destination port for unique
counting. |
|
Mask |
BITSET: FIN/SIN/RST/ PSH/ACK/URG |
Yes |
Yes |
Mask used for TcpFlags comparison. |
|
PortRange |
Number |
No |
Yes |
Three port range options:(1) for low ports, (2) for high
ports, (0) for all ports. |
|
SupressReserve |
Boolean: True/False |
No |
No |
Suppresses the alarm when a sweep is going in the opposite
direction. |
|
TcpFlags |
BITSET: FIN/SIN/RST/ PSH/ACK/URG |
Yes |
Yes |
TCP used to match when masked by the Mask
parameter. |
|
Unique |
Number 2–40 |
No |
Yes |
Maximum Unique connections to the
target. |
Table 7.17 shows the configurable parameters for
SWEEP.PORT.UDP signatures.
Table 7.17: SWEEP.PORT.UDP Parameters
|
Parameter |
Data Type |
Protected |
Required |
Description |
|
Master parameters |
|
|
|
Refer to Table 7.1 for the master parameters. |
|
PortsInclude |
String |
Yes |
Yes |
List of ports and/or ranges for the engine to inspect for
sweeps. |
|
Unique |
Number 2–40 |
No |
Yes |
Maximum Unique connections between two
hosts. |
SWEEP.RPC
SWEEP.RPC is the final SWEEP micro-engine (Figure
7.21). It analyzes Remote Procedure Call (RPC) traffic between hosts. The
signatures that fall under the SWEEP.RPC micro-engine are
-
6110-RPC RSTATD Sweep Fires when RPC
requests are made to many ports for the RSTATD program. Alarm level 5.
-
6111-RPC RUSERSD Sweep Fires when RPC
requests are made to many ports for the RUSERSD program. Alarm level 5.
-
6112-RPC NFS Sweep Fires when RPC
requests are made to many ports for the NFS program. Alarm level 5.
-
6113-RPC MOUNTD Sweep Fires when RPC
requests are made to many ports for the MOUNTD program. Alarm level 5.
-
6114-RPC YPPASSWDD Sweep Fires when RPC
requests are made to many ports for the YPPASSWDD program. Alarm level 5.
-
6115-RPC SELECTION_SVC Sweep Fires when
RPC requests are made to many ports for the SELECTION_SVC program. Alarm level
5.
-
6116-RPC REXD Sweep Fires
when RPC requests are made to many ports for the REXD program. Alarm level
5.
-
6117-RPC STATUS Sweep Fires when RPC
requests are made to many ports for the STATUS program. Alarm level 5.
-
6118-RPC ttdb Sweep Fires on an attempt
to access the tooltalk database daemon on multiple ports on a single host. Alarm
level 5.
Table 7.18 shows the configurable parameters for
SWEEP.RPC signatures.
Table 7.18: SWEEP.RPC Parameters
|
Parameter |
Data Type |
Protected |
Required |
Description |
|
Master parameters |
|
|
|
Refer to Table 7.1 for the master parameters. |
|
RpcProgram |
Number |
Yes |
Yes |
RPC program number request. |
|
Unique |
Number 2–40 |
No |
Yes |
Maximum allowed destination ports receiving RPCs with
program number request RpcProgram. |
If you would like more information regarding
any of the preceding signatures refer to Appendix A or go to Cisco's web
site: http://www.cisco.com.
The OTHER Engine
After going through the ten or so different signature series
and becoming familiar with the different micro-engines, you may have wondered:
what if there is a signature that does not fit the other engines? What happens?
Does Cisco just forget about it? Not a chance. What Cisco has done is create an
engine for all the signatures that do not fit any other engine protocol decode.
It's called the OTHER engine. The OTHER engine does not allow you to define any
custom signatures or add any signatures. The signatures that fall into the OTHER
engine are
-
993-Missed Packet Count This signature is
triggered when the sensor is dropping packets and the percentage dropped can be
used to help you tune the traffic level you are sending to the sensor. For
example, if the alarms show that there is a low count of dropped packets or even
zero, the sensor is monitoring the traffic without being overutilized. On the
other hand, if 993 alarms show a high count of dropped packets, the sensor may
be oversubscribed. Alarm level 1.
-
994-Traffic Flow Started This signature
triggers when traffic to the sensing interface is detected for the first time or
resumes after an outage. SubSig 1 fires when initial network activity is
detected. SubSig 2 fires when the link (physical) layer becomes active. Alarm
level 1.
-
995-Traffic Flow Stopped Subsignature 1
is triggered when no traffic is detected on the sensing interface. You can tune
the timeout for this via the TrafficFlowTimeout parameter. SubSignature 2 is
triggered when a physical link is not detected. Alarm level 1.
-
996-Route Up This signifies that traffic
between the sensor and director has started. When the services on the director
and/or sensor are started, this alarm will appear in the event viewer. Alarm
level 1.
-
997-Route Down This signifies that
traffic between the sensor and director has stopped. When the services on the
director and/or sensor are started, this alarm will appear in the event viewer.
Alarm level 1.
-
998-Daemon Down One or
more of the IDS sensor services has stopped.
-
999-Daemon Unstartable One or more of the
IDS sensor services is unable to be started.
-
1200-IP Fragmentation Buffer Full This
signature is triggered when there is an extraordinary amount of incomplete
fragmented traffic detected on the protected network. Alarm level 1.
-
1201-IP Fragment Overlap This signature
is triggered when two fragments contained within the same IP datagram have
offsets that indicate that they share positioning within the datagram. Alarm
level 5.
-
1202-IP Fragment Overrun - Datagram Too
Long Fires when a reassembled fragmented datagram would exceed the declared
IP data length or the maximum datagram length. Alarm level 5.
-
1203-IP Fragment Overwrite - Data is
Overwritten Fires upon detecting an IP fragment that overlaps a previous
fragment. This behavior is consistent with the Ping of
Death. Alarm level 5.
-
1204-IP Fragment Missing Initial
Fragment Fires when a datagram can not be reassembled due to missing
initial data. Alarm level 1.
-
1205-IP Fragment Too Many Datagrams This
signature is triggered when there is an excessive number of incomplete
fragmented datagrams detected on the network. Alarm level 2.
-
1206-IP Fragment Too Small Fires when any
fragment other than the final fragment is less than 400 bytes, indicating that
the fragment is likely intentionally crafted. Alarm level 2
-
1207-IP Fragment Too Many Frags This
signature is triggered when there is an excessive number of fragments for a
given datagram. This is most likely either a Denial-of-Service attack or an
attempt to bypass security measures. Alarm level 2
-
1208-IP Fragment Incomplete
Datagram Fires when a datagram can not be fully reassembled due to missing
data. Alarm level 2
-
1220-Jolt2 Fragment Reassembly DoS
attack This alarm will fire when multiple fragments are received, all
claiming to be the last fragment of an IP datagram. Alarm level 5.
-
3050-Half-open SYN Attack Fires when multiple TCP sessions have been improperly initiated
on any of several well-known service ports. Alarm level 5.
-
3250-TCP Hijack Fires when both data
streams of a TCP connection indicate that TCP hijacking has occurred. TCP
Hijacking is used to gain illegal access to system resources. False positives
are possible. Alarm level 5
-
3251-TCP Hijacking Simplex Mode Fires
when both data streams of a TCP connection indicate that TCP hijacking has
occurred. TCP hijacking is used to gain illegal access to system resources.
Simplex mode means that only one command is sent, followed by a connection RESET
packet, which makes recognition of this signature different from regular TCP
hijacking (sigID 3250). False positives are possible. The most common network
event that may trigger this signature is an idle Telnet session. The TCP Hijack
attack is a low-probability, high level-of-effort event. If it is successfully
launched, it could lead to serious consequences, including system compromise.
The source of these alarms should be investigated thoroughly before any actions
are taken. Recommend security professional consultation to assist in the
investigation. Alarm level 5.
-
5249-IDS Evasive Encoding This signature
looks for special characters such as Null �, New Line
, Carriage Return
, Period "." ., Forward Slash "/" /, and Back Slash "\" in the URL of
an HTTP request that have been encoded in hexadecimal vice the actual character.
This is a technique used to evade detection of an attack. This signature is
triggered if any of the aforementioned characters are detected as being encoded
in part of the URL. Alarm level 4.
-
5250-IDS Evasive Double Encoding This
signature looks for special characters such as Null �, New Line
, Carriage
Return
, Period "." ., Forward Slash "/" /, and Back Slash "\" in the
URL of an HTTP request that have been encoded in hexadecimal vice the actual
character in the URL of an HTTP request that have been "doubly" encoded. This is
a technique used to evade detection of an attack. This signature is triggered if
any of the before mentioned characters are detected as being doubly encoded as
part of a URL. Alarm level 4.
Table 7.19 shows the configurable parameters for the
OTHER micro-engine signatures.
Table 7.19: OTHER Micro-Engine Parameters
|
Parameter |
Data Type |
Protected |
Required |
Description |
|
HijackMax OldAck |
Number |
No |
No |
Maximum number of old dataless client-to-server ACKs allowed
before a Hijack alarm is triggered. |
|
HijackReset |
BOOLEAN; True/False |
No |
No |
Hijack signature requires a reset. |
|
ServicePorts |
Port Range |
No |
No |
List of ports and/or port ranges the target service may be
listening to. |
|
SynFloodMax Embryonic |
Number |
No |
No |
The maximum number of simultaneous embryonic connections
allowed to any service. Embryonic connections are half-open
connections. |
|
TrafficFlow Timeout |
NUMBER |
No |
No |
This is the number of seconds that no traffic is detected on
the segment. |
399 times read
|
|
|
Did you enjoy this article?
(total 0 votes)
|
 Comments (0 posted)
|
|
More Top News
CCSP-Cisco Certified Security Professional
Most Popular
Most Commented
Featured Author
|
