The attack-drop.sdf file contains 118 high fidelity IPS signatures, providing customers with the latest available detection of security threats. Customers can download the SDF to their router from Cisco.com via the VPN and Security Management Solution (VMS) IDS Management Console (MC) 2.3 network management device, enabling IDS MC to immediately begin scanning for new signatures. Feature History for Cisco IOS IPS Modification 12.3(8)T This feature was introduced, which adds support for Cisco IOS IPS and the Security Device Event Exchange (SDEE) Cisco standard. 12.3(14)T Support for the following functions were added: • Access to more recent virus and attack signatures via the addition of three more signature micro engines (SMEs) STRING.TCP, STRING.ICMP, and STRING.UDP. • Intelligent and local shunning, which allows Cisco IOS IPS to shun offending traffic on the same router that Cisco IOS IPS is configured.
• The ip ips deny-action ips-interface command, which allows users to choose between two available ACL filter settings for detecting offending packets. Support for the Post Office Protocol was deprecated and the following commands were removed from the Cisco IOS software: ip ips po local , ip ips po max-events , ip ips po protected , and ip ips po remote. Finding Support Information for Platforms and Cisco IOS Software Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents • Prerequisites for Cisco IOS IPS • Restrictions for Cisco IOS IPS • Information About Cisco IOS IPS • How to Load IPS-Based Signatures onto a Router • Configuration Examples • Additional References • Command Reference Prerequisites for Cisco IOS IPS VMS IDS MC 2.3 and Cisco Router SDM Support VMS IDS MC provides a web-based interface for configuring, managing, and monitoring multiple IDS Sensors. Cisco Router and Security Device Manager (SDM) is a web-based device-management tool that allows users to import and edit SDFs from Cisco.com to the router. VMS IDS MC is for network-wide management while SDM is for single-device management. It is strongly recommended that customers download the SDF to an IDS MC 2.3 network management device or an SDM. Customers can choose to download the SDF to a device other than IDS MC or SDM (such as a router) via command-line interface (CLI); however, this approach is not recommended because it requires the customer to know which signatures come from which signature engines.
Restrictions for Cisco IOS IPS Signature Support Deprecation Effective Cisco IOS Release 12.(8)T, the following signatures are no longer supported by Cisco IOS IPS: • 1100 IP Fragment Attack (Attack, Atomic) Triggers when any IP datagram is received with the more fragments flag set to 1 or if there is an offset indicated in the offset field. 1 • 1105 Broadcast Source Address (Compound/Attack) Triggers when an IP packet with a source address of 255.255.255.255 is detected. This signature may be an indicator of an IP spoof attack or an attempt to subvert a firewall, proxy, or gateway. • 1106 Multicast IP Source Address (Compound/Attack) Triggers when an IP packet with a source address of 224.x.x.x is detected.
This signature may be an indicator of an IP spoof attack or an attempt to subvert a firewall, proxy, or gateway. • 8000 FTP Retrieve Password File (Attack, Atomic) SubSig ID: 2101 Triggers on string passwd issued during an FTP session. May indicate that someone is attempting to retrieve the password file from a machine to crack it and gain unauthorized access to system resources.
Action Configuration via CLI No Longer Supported Cisco IOS IPS actions (such as resetting the TCP connection) can no longer be configured via CLI. If you are using the attack-drop.sdf signature file, the signatures are preset with actions to mitigate the attack by dropping the packet and resetting the connection, if applicable. If you are using VMS or SDM to deploy signatures to the router, you will need to tune the signatures to use the desired actions before the deployment.
Any CLI that is issued to configure IPS actions will be silently ignored. Memory Impact on Low-End to Mid-Range Routers Intrusion detection configuration on certain routers may not be able to support the complete list of signatures due to lack of sufficient memory. Thus, the network administrator may have to select a smaller subset of signatures or choose to use the standard 100 (builtin) signatures that the routers are shipped with. Information About Cisco IOS IPS To help secure your network via a signature-based IPS, you should understand the following concepts: • Cisco IOS IPS Overview • Benefits • The Signature Definition File • Signature Micro-Engines: Overview and Lists of Supported Engines • Supported Cisco IOS IPS Signatures Cisco IOS IPS Overview The Cisco IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog messages or Security Device Event Exchange (SDEE). The network administrator can configure Cisco IOS IPS to choose the appropriate response to various threats.
When packets in a session match a signature, Cisco IOS IPS can take any of the following actions, as appropriate: • Send an alarm to a syslog server or a centralized management interface • Drop the packet • Reset the connection • Deny traffic from the source IP address of the attacker for a specified amount of time • Deny traffic on the connection for which the signature was seen for a specified amount of time Cisco developed its Cisco IOS software-based Intrusion-Prevention capabilities and Cisco IOS Firewall with flexibility in mind, so that individual signatures could be disabled in case of false positives. Generally, it is preferable to enable both the firewall and Cisco IOS IPS to support network security policies. However, each of these features may be enabled independently and on different router interfaces.
Benefits Dynamic IPS Signatures IPS signatures are dynamically updated and posted to Cisco.com on a regular basis. Thus, customers can access signatures that help protect their network from the latest known network attacks. Parallel Signature Scanning Cisco IOS IPS uses a Parallel Signature Scanning Engine to scan for multiple patterns within a signature micro-engine (SME) at any given time. IPS signatures are no longer scanned on a serial basis.
Named and Numbered Extended ACL support Prior to Cisco IOS Release 12.3(8)T, only standard, numbered ACLs were supported. Cisco IOS IPS now supports both named and numbered extended ACLs by using at least one of the following commands ip ips ips-name list acl or ip ips signature signature-id list acl-list. The Signature Definition File A Signature Definition file (SDF) has definitions for each signature it contains.
After signatures are loaded and complied onto a router running Cisco IOS IPS, IPS can begin detecting the new signatures immediately. If customers do not use the default, built-in signatures that are shipped with the routers, users can choose to download one of two different types of SDFs: the attack-drop.sdf file (which is a static file) or a dynamic SDF (which is dynamically updated and accessed from Cisco.com). The attack-drop.sdf file is available in flash on all Cisco access routers that are shipped with Cisco IOS Release 12.3(8)T or later.
The attack-drop.sdf file can then be loaded directly from flash into the Cisco IOS IPS system. If flash is erased, the attack-drop.sdf file may also be erased. Thus, if you are copying a Cisco IOS image to flash and are prompted to erase the contents of flash before copying the new image, you might risk erasing the attack-drop.sdf file. If this occurs, the router will refer to the built-in signatures within the Cisco IOS image. The attack-drop.sdf file can also be downloaded onto your router from Cisco.com. To help detect the latest vulnerabilities, Cisco provides signature updates on Cisco.com on a regular basis.
Users can use SDM or VMS to download these signature updates, tune the signature parameters as necessary, and deploy the new SDF to a Cisco IOS IPS router. Signature Micro-Engines: Overview and Lists of Supported Engines Cisco IOS IPS uses signature micro-engines (SMEs) to load the SDF and scan signatures. Signatures contained within the SDF are handled by a variety of SMEs. The SDF typically contains signature definitions for multiple engines. The SME typically corresponds to the protocol in which the signature occurs and looks for malicious activity in that protocol. A packet is processed by several SMEs.
Each SME scans for various conditions that can lead to a signature pattern match. When an SME scans the packets, it extracts certain values, searching for patterns within the packet via the regular expression engine. For a list of supported signature engines, refer to the section Lists of Supported Signature Engines.
Lists of Supported Signature Engines Table 1 lists supported signature engines and engine-specific parameter exceptions, if applicable. Note If the SDF contains a signature that requires an engine that is not supported, the engine will be ignored and an error message will be displayed. If a signature within a supported engine contains a parameter that is not supported, the parameter will be ignored and an error message will be displayed.
Parameter Exceptions 1 ATOMIC.L3.IP 12.3(8)T ATOMIC.ICMP 12.3(8)T ATOMIC.IPOPTIONS 12.3(8)T ATOMIC.TCP 12.3(8)T ATOMIC.UDP 12.3(8)T SERVICE.DNS 12.3(8)T SERVICE.HTTP 12.3(8)T ServicePorts (applicable only in Cisco IOS Release 12.3(8)T) SERVICE.FTP 12.3(8)T ServicePorts SERVICE.SMTP 12.3(8)T ServicePorts SERVICE.RPC 12.3(8)T ServicePorts, Unique, and isSweep STRING.ICMP 12.3(14)T STRING.TCP 12.3(14)T STRING.UDP 12.3(14)T 1The following parameters, which are defined in all signature engines, are currently not supported: AlarmThrottle=Summarize (all other values are supported), MaxInspectLength, MaxTTL, Protocol, ResetAfterIdle, StorageKey, and SummaryKey. Table 2 lists support for the 100 signatures that are available in Cisco IOS IDS prior to Cisco IOS Release 12.3(8)T. These 100 signatures are a part of the Cisco IOS IPS builtin SDF. By default, signatures are loaded from this builtin SDF.
Table 2 lists support for these 100 signatures under Cisco IOS IPS. Signature Engine 1000-1006 7 ATOMIC.IPOPTIONS 1101, 1102 2 ATOMIC.L3.IP 1004, 1007 2 ATOMIC.L3.IP 2000-2012, 2150 14 ATOMIC.ICMP 2151, 2154 2 ATOMIC.L3.IP 3038-3043 6 ATOMIC.TCP 3100-3107 8 SERVICE.SMTP 3153, 3154 2 SERVICE.FTP 4050-4052, 4600 4 ATOMIC.UDP 6100-6103 4 SERVICE.RPC 6150-6155 6 SERVICE.RPC 6175, 6180, 6190 3 SERVICE.RPC 6050-6057 8 SERVICE.DNS 6062-6063 2 SERVICE.DNS 3215, 3229, 3223 3 SERVICE.HTTP 5034-5035 2 SERVICE.HTTP 5041, 5043-5045 4 SERVICE.HTTP 5050, 5055, 5071 3 SERVICE.HTTP 5081, 5090, 5123 3 SERVICE.HTTP 5114, 5116-5118 4 SERVICE.HTTP 1100 1 Not applicable. Signature is replaced by 12xx series. 1105-1106 2 Cisco IOS IPS deprecates these signatures, which do not appear in the SDF. 1201-1208 10 OTHER 1 (fragment attack signatures) 3050 2 OTHER 1 (SYN attack signatures) 3150-3152 3 STRING.TCP 4100 1 STRING.UDP 8000 1 Cisco IOS IPS deprecates these signatures, which do not appear in the SDF. 1The OTHER engine contains existing, hard-coded signatures.
Although the standard SDF contains an entry for these signatures, the engine is not dynamically updated. If the SDF that is loaded onto the engine does not contain the signature, the signature will be treated as though it has been disabled. Supported Cisco IOS IPS Signatures Customers can choose to use Cisco IOS IPS in one of the following ways: • Download new signatures that are posted on Cisco.com. These signatures can be obtained at the Cisco Intrusion Prevention Alert Center web page. (You must have a valid Cisco.com account to access this web page.) • Download the attack-drop.sdf file, which contains the signatures that are identified in Table 3.
Signature Description 1006:0 IP options-Strict Source Route A, D ATOMIC.IPOPTIONS Triggers on receipt of an IP datagram in which the IP option list for the datagram includes option 2 (Strict Source Routing). 1102:0 Impossible IP Packet A, D ATOMIC.L3.IP Triggers when an IP packet arrives with source equal to destination address. This signature will catch the Land Attack.
1104:0 IP Localhost Source Spoof A, D ATOMIC.L3.IP Triggers when an IP packet with the address of 127.0.0.1, a local host IP address that should never be seen on the network, is detected. This signature can detect the Blaster attack. 1108:0 IP Packet with Proto 11 A, D ATOMIC.L3.IP Alarms upon detecting IP traffic with the protocol set to 11.
There have been known backdoors running on IP protocol 11. 2154:0 Ping Of Death Attack A, D ATOMIC.L3.IP Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set. The IP offset (which represents the starting position of this fragment in the original packet and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet. 3038:0 Fragmented NULL TCP Packet A, D ATOMIC.TCP Triggers when a single, fragmented TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. A reconnaissance sweep of your network may be in progress. 3039:0 Fragmented Orphaned FIN packet A, D ATOMIC.TCP Triggers when a single, fragmented, orphan TCP FIN packet is sent to a privileged port (having a port number less than 1024) on a specific host.
A reconnaissance sweep of your network may be in progress. 3040:0 NULL TCP Packet A, D ATOMIC.TCP Triggers when a single TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. A reconnaissance sweep of your network may be in progress.
3041:0 SYN/FIN Packet A, D ATOMIC.TCP Triggers when a single TCP packet with the SYN and FIN flags set is sent to a specific host. A reconnaissance sweep of your network may be in progress. The use of this type of packet indicates an attempt to conceal the sweep. 3043:0 Fragmented SYN/FIN Packet A, D ATOMIC.TCP Triggers when a single, fragmented TCP packet with the SYN and FIN flags set is sent to a specific host. A reconnaissance sweep of your network may be in progress.
The use of this type of packet indicates an attempt to conceal the sweep. 3129:0 Mimail Virus C Variant File Attachment A, D, R SERVICE. SMTP Fires when an e-mail attachment matching the C Variant of the Mimail virus is detected.
The virus sends itself to recipients as the e-mail attachment photos.zip that contains the file photos.jpg.exe and has our private photos in the e-mail subject line. If launched, the virus harvests email addresses and possible mail servers from the infected system. 3140:3 Bagle Virus Activity 2 A, D, R SERVICE.HTTP Fires when HTTP propagation using.jpeg associated with the.Q variant is detected.
3140:4 Bagle Virus Activity 3 A, D, R SERVICE.HTTP Fires when HTTP propagation using.php associated with the.Q variant is detected. 3300:0 NetBIOS OOB Data A, D ATOMIC.TCP Triggers when an attempt to send Out Of Band data to port 139 is detected. 5045:0 WWW xterm display attack A, D, R SERVICE.HTTP.