Cisco IDS signatures are given unique signature ID numbers. The numbers range from 900 to 50000, with each range using a particular inspection engine to detect intrusion activity for a group of protocols or types of applications.
Table 13-1 lists the ranges of signature IDs. Signature IDs 900 to 19999 are assigned by Cisco and are supplied in downloadable databases or in databases embedded in operating system images. IDs 20000 to 50000 are reserved for custom signatures.
Cisco maintains one set of unique signature IDs that is common across all its IDS platforms. Table 13-2 lists the signatures supported by firewall and router IDS sensors. Some signatures are present in one platform but not in another. The table shows whether the signature is available in Cisco IOS software Release 12.2(11)YU and earlier (IOS), Cisco IOS software Release 12.2(15)T and later (IOS+), or Cisco PIX OS release 6.0 and later (PIX).
Table 13-2. Cisco Firewall and Router IDS Sensor Signatures
Signature | Severity | Type | IOS | IOS+ | PIX | Description |
1000 IP OptionsBad Option List | Info | Atomic | Yes | Yes | Yes | Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is incomplete or malformed. The IP options list contains one or more options that perform various network management or debugging tasks. |
1001 IP OptionsRecord Packet Route | Info | Atomic | Yes | Yes | Yes | Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 7 (Record Packet Route). |
1002 IP OptionsTimestamp | Info | Atomic | Yes | Yes | Yes | Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 4 (Timestamp). |
1003 IP OptionsProvide s,c,h,tcc | Info | Atomic | Yes | Yes | Yes | Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 2 (Security options). |
1004 IP OptionsLoose Source Route | Info | Atomic | Yes | Yes | Yes | Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 3 (Loose Source Route). |
1005 IP OptionsSATNET ID | Info | Atomic | Yes | Yes | Yes | Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 8 (SATNET stream identifier). |
1006 IP OptionsStrict Source Route | Info | Atomic | Yes | Yes | Yes | Triggers on receipt of an IP datagram in which the IP option list for the datagram includes option 2 (Strict Source Routing). |
1100 IP Fragment Attack | Attack | Atomic | Yes | Yes | Yes | Triggers when any IP datagram is received with an offset value less than 5 but greater than 0 indicated in the offset field. |
1101 Unknown IP Protocol | Info | Atomic | Yes | Yes | No | Triggers when an IP datagram is received with the protocol field set to 134 or greater. These protocol types are undefined or reserved and should not be used. |
1102 Impossible IP Packet | Attack | Atomic | Yes | Yes | Yes | Triggers when an IP packet arrives with source equal to destination address. This signature catches the so-called land attack. |
1103 IP Fragments Overlap | Attack | Compound | No | Yes | Yes | Triggers when two fragments contained within the same IP datagram have offsets that indicate that they share positioning within the datagram. |
1104 IP Localhost Source Spoof | Attack | Atomic | No | Yes | No | Triggers when an IP packet with an address of 127.0.0.1 is detected. |
1105 Broadcast Source Address | Attack | Atomic | No | Yes | No | Triggers when an IP packet with a source address of 255.255.255.255 is detected. |
1106 Multicast IP Source Address | Attack | Atomic | No | Yes | No | Triggers when an IP packet with a source address of 224.x.x.x is detected. |
1107 RFC 1918 Addresses Seen | Info | Atomic | No | Yes | No | Triggers when RFC 1918 addresses are detected. |
1202 IP Fragment OverrunDatagram Too Long | Attack | Atomic | No | Yes | No | Triggers when a reassembled fragmented datagram would exceed the declared IP data length or the maximum datagram length. |
1206 IP Fragment Too Small | Attack | Atomic | No | Yes | No | Triggers when any fragment other than the final fragment is less than 400 bytes, indicating that the fragment is likely intentionally crafted. |
2000 ICMP Echo Reply | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 0 (Echo Reply). |
2001 ICMP Host Unreachable | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 3 (Host Unreachable). |
2002 ICMP Source Quench | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 4 (Source Quench). |
2003 ICMP Redirect | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 5 (Redirect). |
2004 ICMP Echo Request | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 8 (Echo Request). |
2005 ICMP Time Exceeded for a Datagram | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 11 (Time Exceeded for a Datagram). |
2006 ICMP Parameter Problem on Datagram | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 12 (Parameter Problem on Datagram). |
2007 ICMP Timestamp Request | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 13 (Timestamp Request). |
2008 ICMP Timestamp Reply | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 14 (Timestamp Reply). |
2009 ICMP Information Request | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 15 (Information Request). |
2010 ICMP Information Reply | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 16 (ICMP Information Reply). |
2011 ICMP Address Mask Request | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 17 (Address Mask Request). |
2012 ICMP Address Mask Reply | Info | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field of the ICMP header set to 18 (Address Mask Reply). |
2150 Fragmented ICMP Traffic | Attack | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or an offset is indicated in the offset field. |
2151 Large ICMP Traffic | Attack | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the IP length is greater than 1024. |
2154 Ping of Death Attack | Attack | Atomic | Yes | Yes | Yes | Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset * 8 ) + (IP data length) is greater than 65,535. In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet. |
3038 Fragmented NULL TCP Packet | Attack | Atomic | No | Yes | No | Triggers when a single fragmented TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. |
3039 Fragmented Orphaned FIN Packet | Attack | Atomic | No | Yes | No | Triggers when a single fragmented orphaned TCP FIN packet is sent to a privileged port (having a port number less than 1024) on a specific host. |
3040 NULL TCP Packet | Attack | Atomic | Yes | Yes | Yes | Triggers when a single TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. |
3041 SYN/FIN Packet | Attack | Atomic | Yes | Yes | Yes | Triggers when a single TCP packet with the SYN and FIN flags set has been sent to a specific host. |
3042 Orphaned FIN Packet | Attack | Atomic | Yes | Yes | Yes | Triggers when a single orphaned TCP FIN packet is sent to a privileged port (having a port number less than 1024) on a specific host. |
3043 Fragmented SYN/FIN Packet | Attack | Atomic | No | Yes | No | Triggers when a single fragmented TCP packet with the SYN and FIN flags set has been sent to a specific host. |
3050 Half-open SYN Attack | Attack | Compound | Yes | Yes | No | Triggers when multiple TCP sessions have been improperly initiated on any of several well-known service ports. Detection of this signature is currently limited to FTP, Telnet, WWW, SSH, and e-mail servers (TCP ports 21, 23, 80, 22, and 25, respectively). |
3100 Smail Attack | Attack | Compound | Yes | Yes | No | Triggers on the very common smail attack against e-mail servers. |
3101 Sendmail Invalid Recipient | Attack | Compound | Yes | Yes | No | Triggers on any mail message with a pipe symbol (|) in the recipient field. |
3102 Sendmail Invalid Sender | Attack | Compound | Yes | Yes | No | Triggers on any mail message with a pipe symbol (|) in the From: field. |
3103 Sendmail Reconnaissance | Attack | Compound | Yes | Yes | No | Triggers when expn or vrfy commands are issued to the SMTP port. |
3104 Archaic Sendmail Attacks | Attack | Compound | Yes | Yes | No | Triggers when wiz or debug commands are sent to the SMTP port. |
3105 Sendmail Decode Alias | Attack | Compound | Yes | Yes | No | Triggers on any mail message with : decode@ in the header. |
3106 Mail Spam | Attack | Compound | Yes | Yes | No | Counts the number of Rcpt to: lines in a single mail message and alarms after a user-definable maximum has been exceeded (the default is 250). |
3107 Majordomo Execute Attack | Attack | Compound | Yes | Yes | No | A bug in the Majordomo program allows remote users to execute arbitrary commands at the server's privilege level. |
3150 FTP Remote Command Execution | Attack | Compound | Yes | Yes | No | Triggers when someone tries to execute the FTP SITE command. |
3151 FTP SYST Command Attempt | Info | Compound | Yes | Yes | No | Triggers when someone tries to execute the FTP SYST command. |
3152 FTP CWD ~root | Attack | Compound | Yes | Yes | No | Triggers when someone tries to execute the CWD ~root command. |
3153 FTP Improper Address Specified | Attack | Atomic | Yes | Yes | Yes | Triggers if a port command is issued with an address that is not the same as the requesting host. |
3154 FTP Improper Port Specified | Attack | Atomic | Yes | Yes | Yes | Triggers if a port command is issued with a data port specified that is less than 1024 or greater than 65535. |
3215 IIS DOT DOT EXECUTE Attack | Attack | Compound | No | Yes | No | Triggers on any attempt to cause Microsoft's Internet Information Server to execute commands. |
3229 Website Win-C-Sample Buffer Overflow | Attack | Compound | No | Yes | No | Triggers when an attempt is made to access the win-c-sample program distributed with WebSite servers. |
3233 WWW count-cgi Overflow | Attack | Compound | No | Yes | No | Triggers when an attempt is made to overflow a buffer in the cgi Count program. |
4050 UDP Bomb | Attack | Atomic | Yes | Yes | Yes | Triggers when the UDP length specified is less than the IP length specified. This malformed packet type is associated with a denial of service attempt. |
4051 Snork | Attack | Atomic | No | Yes | Yes | Triggers when a UDP packet with a source port of either 135, 7, or 19 and a destination port of 135 is detected. |
4052 Chargen DoS | Attack | Atomic | No | Yes | Yes | Triggers when a UDP packet is detected with a source port of 7 and a destination port of 19. |
4100 TFTP Passwd File | Attack | Compound | Yes | Yes | No | Triggers on an attempt to access the passwd file via TFTP. This indicates an attempt to gain unauthorized access to system resources. |
4600 IOS UDP Bomb | Attack | Atomic | No | Yes | No | Triggers on the receipt of improperly formed Syslog transmissions bound for UDP port 514. |
5034 WWW IIS newdsn Attack | Attack | Compound | No | Yes | No | Triggers when an attempt is made to run the newdsn.exe command via the HTTP server. |
5035 HTTP cgi HylaFAX Faxsurvey | Attack | Compound | No | Yes | No | Triggers when an attempt is made to pass commands to the CGI program faxsurvey. A problem in the CGI program faxsurvey, included with the HylaFAX package from SGI, allows an attacker to execute commands on the host machine. These commands execute at the privilege level of the HTTP server. There are no legitimate reasons to pass commands to the faxsurvey command. |
5041 WWW Anyform Attack | Attack | Compound | No | Yes | No | Triggers when an attacker attempts to execute arbitrary commands through the anyform cgi-bin script. |
5043 WWW Cold Fusion Attack | Attack | Compound | No | Yes | No | Triggers when an attempt is made to access sample scripts shipped with Cold Fusion servers. |
5044 WWW Webcom.se Guestbook Attack | Attack | Compound | No | Yes | No | Triggers when an attacker attempts to execute arbitrary commands through Webcom.se's rguest.exe or wguest.exe cgi-bin script. |
5045 WWW xterm Display Attack | Attack | Compound | No | Yes | No | Triggers when any cgi-bin script attempts to execute the command xterm -display. |
5050 WWW IIS .htr Overflow Attack | Attack | Compound | No | Yes | No | Triggers when an .htr buffer overrun attack is detected, indicating a possible attempt to execute remote commands or to cause a denial of service against the targeted Windows NT IIS server. |
5055 HTTP Basic Authentication Overflow | Attack | Compound | No | Yes | No | A buffer overflow can occur on vulnerable web servers if a very large username and password combination is used with Basic Authentication. |
5071 WWW msacds.dll Attack | Attack | Compound | No | Yes | No | An attempt has been made to execute commands or view secured files with privileged access. |
5081 WWW WinNT cmd.exe Access | Attack | Atomic | No | Yes | No | Triggers when the use of the Windows NT cmd.exe is detected in a URL. |
5090 WWW FrontPage htimage.exe Access | Attack | Atomic | No | Yes | No | Triggers when the FrontPage CGI program is accessed with a filename argument ending in 0,0. |
5114 WWW IIS Unicode Attack | Attack | Atomic | No | Yes | No | Triggers when an attempt to exploit the Unicode ../ directory traversal vulnerability is detected. |
5116 Endymion MailMan Remote Command Execution | Attack | Atomic | No | Yes | No | Endymion MailMan insecurely uses the Perl function open(), which allows user-supplied input containing shell metacharacters to be executed as shell commands with the privilege level of the CGI script. |
5117 phpGroupWare Remote Command Exec | Attack | Atomic | No | Yes | No | phpGroupWare is a multiuser groupware suite that is freely distributed. A problem in the software could allow users to remotely execute malicious code by exploiting a vulnerable include() command. |
5118 eWave ServletExec 3.0C File Upload | Attack | Atomic | No | Yes | No | UploadServlet is a servlet that ServletExec contains in its server-side classes. |
5123 WWW Host: Field Overflow | Attack | Atomic | No | Yes | No | This alarm fires if web traffic is detected sending an abnormally large GET request with a large Host field. |
6050 DNS HINFO Request | Info | Atomic | No | Yes | Yes | Triggers on an attempt to access HINFO records from a DNS server. |
6051 DNS Zone Transfer | Info | Atomic | No | Yes | Yes | Triggers on normal DNS zone transfers, in which the source port is 53. |
6052 DNS Zone Transfer from High Port | Attack | Atomic | No | Yes | Yes | Triggers on an illegitimate DNS zone transfer, in which the source port is not equal to 53. |
6053 DNS Request for All Records | Info | Compound | No | Yes | Yes | Triggers on a DNS request for all records. |
6054 DNS Version Request | Info | Compound | No | Yes | No | Triggers when a request for the version of a DNS server is detected. |
6055 DNS Inverse Query Buffer Overflow | Attack | Atomic | No | Yes | No | Triggers when an IQUERY request arrives with a data section that is larger than 255 characters. |
6056 DNS NXT Buffer Overflow | Attack | Compound | No | Yes | No | Triggers when a DNS server response arrives that has a long NXT resource in which the length of the resource data is greater than 2069 bytes or the length of the TCP stream containing the NXT resource is greater than 3000 bytes. |
6057 DNS SIG Buffer Overflow | Attack | Compound | No | Yes | No | Triggers when a DNS server response arrives that has a long SIG resource in which the length of the resource data is greater than 2069 bytes or the length of the TCP stream containing the SIG resource is greater than 3000 bytes. |
6062 DNS Authors Request | Info | Atomic | No | Yes | No | Triggers when a DNS query type TXT class CHAOS is detected with the string "Authors.Bind" (case-insensitive). |
6063 DNS Incremental Zone Transfer | Info | Atomic | No | Yes | No | Triggers when a DNS query type of 251 is detected. |
6100 RPC Port Registration | Info | Atomic | Yes | Yes | Yes | Triggers when attempts are made to register new RPC services on a target host. |
6101 RPC Port Unregistration | Info | Atomic | Yes | Yes | Yes | Triggers when attempts are made to unregister existing RPC services on a target host. |
6102 RPC Dump | Info | Atomic | Yes | Yes | Yes | Triggers when an RPC dump request is issued to a target host. |
6103 Proxied RPC Request | Attack | Atomic | Yes | Yes | Yes | Triggers when a proxied RPC request is sent to a target host's portmapper. |
6150 ypserv Portmap Request | Info | Atomic | Yes | Yes | Yes | Triggers when a request is made to the portmapper for the YP server daemon (ypserv) port. |
6151 ypbind Portmap Request | Info | Atomic | Yes | Yes | Yes | Triggers when a request is made to the portmapper for the YP bind daemon (ypbind) port. |
6152 yppasswdd Portmap Request | Info | Atomic | Yes | Yes | Yes | Triggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port. |
6153 ypupdated Portmap Request | Info | Atomic | Yes | Yes | Yes | Triggers when a request is made to the portmapper for the YP update daemon (ypupdated) port. |
6154 ypxfrd Portmap Request | Info | Atomic | Yes | Yes | Yes | Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port. |
6155 Mountd Portmap Request | Info | Atomic | Yes | Yes | Yes | Triggers when a request is made to the portmapper for the mount daemon (mountd) port. |
6175 rexd Portmap Request | Info | Atomic | Yes | Yes | Yes | Triggers when a request is made to the portmapper for the remote execution daemon (rexd) port. |
6180 rexd Attempt | Info | Atomic | Yes | Yes | Yes | Triggers when a call to the rexd program is made. The remote execution daemon is the server responsible for remote program execution. This might indicate an attempt to gain unauthorized access to system resources. |
6190 statd Buffer Overflow | Attack | Atomic | Yes | Yes | Yes | Triggers when a large statd request is sent. This could be an attempt to overflow a buffer and gain access to system resources. |
8000 FTP Retrieve Password File | Attack | Atomic | Yes | Yes | No | Triggers on the string passwd issued during an FTP session. Might indicate someone attempting to retrieve the password file from a machine to crack it and gain unauthorized access to system resources. |
You can also access interactive information about each signature using the following resources:
You can point a web browser directly to the Network Security Database maintained on the CiscoWorks VMS server. Use the URL https://vms-server/vms/nsdb/html/all_sigs_index.html, where vms-server is the server's IP address.
