Cisco IDS Signatures

[ LiB ]  

Cisco IDS signatures are the instructions and rulesets that the IDS uses to detect and respond to malicious activity on the network. Signature classes define signatures based on the goal of the attacker, whereas signature types are determined by the type of network traffic involved. In Chapter 2, "Introduction to Network Security," we introduced and described different attack types and the ways to mitigate the risks introduced by these attacks. In this chapter, you will see that the Cisco signature series addresses a full range of attack types from simple Internet Control Message Protocol (ICMP)-based port scans to notorious distributed denial-of-service (DDoS) attacks such as the Trojan Tribal Flood Network 2000 (TFN2K). This latter attack type turns innocent hosts into " zombies " that join and uphold the escalating attack by performing traffic floods.

The most critical attack signatures are enabled by default. This defined set of built-in signatures is fixed; you cannot add to or delete from the list of built-in signatures, nor can the signatures in this group be renamed . However, you can and should tune these signatures to your specific network environment and the unique threats that it faces. In cases where signature tuning still does not fulfill the specific intrusion-detection requirements of your network, you can configure custom signatures based on Cisco's signature engines . (Signature tuning is discussed in Chapter 10, "Global Sensing and Signature Configuration.") Custom signatures are signatures that you create which are not a part of the suite of built-in, or default, signatures. Signature engines are the configuration component that provide the structure and framework for you to create your custom signatures.

Some signatures are divided into subcategories called subsignatures. When changes are made to a subsignature, they only apply to the subsignature's parameters.


For a full reference to all the parameters for the Cisco Signature Engines, refer to the appendix available at the Web site

Again, there is no escaping the tedious task of knowing the signature engine categories and their related parameters. You aren't expected to memorize this material, but you are expected to thoroughly research the topics using reference materials such as the online reference mentioned in the preceding note, as well as the multitude of resources available for aspiring and experienced hackers. (See the section "Need to Know More?" at the end of this chapter for more resources.)

A strong command of all signature engine categories is an imperative component of your exam preparation, as are an awareness and understanding of their key parameters. We will make these tasks easier for you by going through each of the signature engine categories and highlighting their key parameters, emphasizing the key points that you need to master for the 642-531 exam.

Signature Characteristics and Features

The next sections describe the Cisco IDS signatures' features and characteristics.

Alarm Summarization and Threshold Configuration

Alarm summarization can limit the number of times an alarm is fired by aggregating alarms when the signature is triggered, thus lightening the load for your network's first line of support staff. You configure alarm summarization by tuning the AlarmThrottle and ChokeThreshold master signature engine parameters so that the signature is optimized to your network environment.

Anti-Evasive Techniques

Anti-evasive techniques include antideobfuscation and IP fragment inspection. You can configure antideobfuscation with the Service.HTTP signature engines, described in the corresponding section later in this chapter, and you can configure IP fragment inspection through the Sensor's IP Fragment Reassembly options.

Regular Expression String Pattern Matching

The flexibility and robustness of regular expression (Regex) syntax allow you to articulate patterns of text to use for pattern matching.


The Regex tool is not Cisco proprietary and can be useful for many other aspects of computing.

So whether you want to search for specific files accessed on the Internet or certain username and password combinations, Regex is the tool that allows you to explicitly define your search rules. Table 9.1 lists the IDS regular expression syntax.

Table 9.1. Regex Syntax





Question mark

Repeat 0 or 1 times


Star, asterisk

Repeat 0 or more times



Repeat 1 or more times



Repeat exactly x times


Minimum quantifier

Repeat at least x times



Any one character except new line ( 0x0A )


Character class

Any character listed


Negated character class

Any character not listed


Range character class

Any character listed in the inclusion range



Used to limit the scope of other metacharacters

Alternation, or

Matches either expression it separates



The beginning of the line


Escaped character

When char is a metacharacter or not, matches the literal char



When char is not a metacharacter, matches the literal char


Carriage return

Matches the carriage return character ( 0x0d )


New line

Matches the new line character ( 0x0A )



Matches the tab character ( 0x09 )


Form feed

Matches the form feed character ( 0x0C )


Escaped hexadecimal character

Matches the character with the hexadecimal code 0xNN(0<=N<F)


Escaped octal character

Matches the character with the hexadecimal code 0xNN (0<=N<=8)

The examples of Regex syntax listed in Table 9.2 show how you can use Regex to specify patterns of text.

Table 9.2. Examples of Regex Syntax

To Match

Regular Expression


Kris t ina

Kristina or kristina


Variations of manalo, mananalo, manananalo


The words meet and London or london on the same line with anything except a new line between them


Either London or Amsterdam


Either noon or soon



To search for the text pattern kristina or Kristina, use the Regex syntax [Kk]ristina .

Response Actions

You can configure a signature to respond to a trigger with one of four responses:

  • Perform a Transmission Control Protocol (TCP) reset

  • Start an IP log session

  • Block (or shun) a host

  • Block (or shun) a connection

You configure the response using the EventAction master signature parameter.


Remember that the four responses to a signature trigger are to perform a TCP reset, to start an IP log session, to block a host, or to block a connection.

[ LiB ]  

CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
Year: 2004
Pages: 213 © 2008-2017.
If you may any questions please contact us: