A
Cisco Intrusion
Detection System
Signature Structures
and Implementations
A-2
Cisco Secure Intrusion Detection System 2.1
Copyright
2001, Cisco Systems, Inc.
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
1000
0
IP options-Bad
Option List
ATOMIC
CONTEXT
1001
0
IP options -Record
Packet Route
ATOMIC
CONTEXT
1002
0
IP options-
Timestamp
ATOMIC
CONTEXT
1003
0
IP options-Provide s,
c, h, and tcc
ATOMIC
CONTEXT
1004
0
IP options-Loose
Source Route
ATOMIC
CONTEXT
1005
0
IP options-SATNET
ID
ATOMIC
CONTEXT
1006
0
IP options -Strict
Source Route
ATOMIC
CONTEXT
1100
0
IP Fragment Attack
ATOMIC
CONTEXT
1101
0
Unknown IP Protocol
ATOMIC
CONTEXT
1102
0
Impossible IP Packet
ATOMIC
CONTENT
1103
0
IP Fragments Overlap COMPOSITE
CONTEXT
1104
0
IP Localhost Source
Spoof
ATOMIC
CONTENT
1105
0
Broadcast Source
Address
ATOMIC
CONTENT
1106
0
Multicast Ip Source
Address
ATOMIC
CONTENT
1200
0
IP Fragmentation
Buffer Full
ATOMIC
CONTENT
1201
0
IP Fragment Overlap
ATOMIC
CONTENT
1202
0
IP Fragment Overrun
- Datagram Too Long
ATOMIC
CONTENT
1203
0
IP Fragment
Overwrite - Data is
Overwritten
ATOMIC
CONTENT
1204
0
IP Fragment Missing
Initial Fragment
ATOMIC
CONTENT
1205
0
IP Fragment Too
Many Datagrams
ATOMIC
CONTENT
1206
0
IP Fragment Too
Small
ATOMIC
CONTENT
1207
0
IP Fragment Too
Many Frags
ATOMIC
CONTENT
1208
0
IP Fragment
Incomplete Datagram
ATOMIC
CONTENT
1220
0
Jolt2 Fragment
Reassembly DoS
attack
COMPOSITE
CONTENT
Copyright
2001, Cisco Systems, Inc.
Cisco Intrusion Detection System Signature Structures and Implementation
A-3
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
2000
0
ICMP Echo Reply
ATOMIC
CONTEXT
2001
0
ICMP Host
Unreachable
ATOMIC
CONTEXT
2002
0
ICMP Source Quench
ATOMIC
CONTEXT
2003
0
ICMP Redirect
ATOMIC
CONTEXT
2004
0
ICMP Echo Request
ATOMIC
CONTEXT
2005
0
ICMP Time Exceeded
for a Datagram
ATOMIC
CONTEXT
2006
0
ICMP Parameter
Problem on
Datagram
ATOMIC
CONTEXT
2007
0
ICMP Timestamp
Request
ATOMIC
CONTEXT
2008
0
ICMP Timestamp
Reply
ATOMIC
CONTEXT
2009
0
ICMP Information
Request
ATOMIC
CONTEXT
2010
0
ICMP Information
Reply
ATOMIC
CONTEXT
2011
0
ICMP Address Mask
Request
ATOMIC
CONTEXT
2012
0
ICMP Address Mask
Reply
ATOMIC
CONTEXT
2100
0
ICMP Network Sweep
w/Echo
COMPOSITE
CONTEXT
2101
0
ICMP Network Sweep
w/Timestamp
COMPOSITE
CONTEXT
2102
0
ICMP Network Sweep
w/Address Mask
COMPOSITE
CONTEXT
2150
0
Fragmented ICMP
Traffic
ATOMIC
CONTEXT
2151
0
Large ICMP Traffic
ATOMIC
CONTEXT
2152
0
ICMP Flood
COMPOSITE
CONTEXT
2153
0
Smurf
COMPOSITE
CONTEXT
2154
0
Ping of Death Attack
ATOMIC
CONTEXT
3000
0
TCP Ports
ATOMIC
CONTEXT
3001
0
TCP Port Sweep
COMPOSITE
CONTEXT
3002
0
TCP SYN Port Sweep
COMPOSITE
CONTEXT
3003
0
TCP Frag SYN Port
Sweep
COMPOSITE
CONTEXT
3005
0
TCP FIN Port Sweep
COMPOSITE
CONTEXT
3006
0
TCP Frag FIN Port
Sweep
COMPOSITE
CONTEXT
3010
0
TCP High Port Sweep COMPOSITE
CONTEXT
A-4
Cisco Secure Intrusion Detection System 2.1
Copyright
2001, Cisco Systems, Inc.
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
3011
0
TCP FIN High Port
Sweep
COMPOSITE
CONTEXT
3012
0
TCP Frag FIN High
Port Sweep
COMPOSITE
CONTEXT
3015
0
TCP Null Port Sweep
COMPOSITE
CONTEXT
3016
0
TCP Frag Null Port
Sweep
COMPOSITE
CONTEXT
3020
0
TCP SYN FIN Port
Sweep
COMPOSITE
CONTEXT
3021
0
TCP Frag SYN FIN
Port Sweep
COMPOSITE
CONTEXT
3030
0
TCP SYN Host
Sweep
COMPOSITE
CONTEXT
3031
0
TCP FRAG SYN Host
Sweep
COMPOSITE
CONTEXT
3032
0
TCP FIN Host Sweep
COMPOSITE
CONTEXT
3033
0
TCP FRAG FIN Host
Sweep
COMPOSITE
CONTEXT
3034
0
TCP NULL Host
Sweep
COMPOSITE
CONTEXT
3035
0
TCP FRAG NULL
Host Sweep
COMPOSITE
CONTEXT
3036
0
TCP SYN FIN Host
Sweep
COMPOSITE
CONTEXT
3037
0
TCP FRAG SYN FIN
Host Sweep
COMPOSITE
CONTEXT
3038
0
Fragmented NULL
TCP Packet
ATOMIC
CONTEXT
3039
0
Fragmented
Orphaned FIN packet
ATOMIC
CONTEXT
3040
0
NULL TCP Packet
ATOMIC
CONTEXT
3041
0
SYN/FIN Packet
ATOMIC
CONTEXT
3042
0
Orphaned Fin Packet
ATOMIC
CONTEXT
3043
0
Fragmented SYN/FIN
Packet
ATOMIC
CONTENT
3045
0
Queso Sweep
COMPOSITE
CONTEXT
3050
0
Half-open SYN Attack
COMPOSITE
CONTEXT
3100
0
Smail Attack
COMPOSITE
CONTENT
3101
0
Sendmail Invalid
Recipient
COMPOSITE
CONTENT
3102
0
Sendmail Invalid
Sender
COMPOSITE
CONTENT
3103
0
Sendmail
Reconnaissance
COMPOSITE
CONTENT
3104
0
Archaic Sendmail
Attacks
COMPOSITE
CONTENT
Copyright
2001, Cisco Systems, Inc.
Cisco Intrusion Detection System Signature Structures and Implementation
A-5
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
Attacks
3105
0
Sendmail Decode
Alias
COMPOSITE
CONTENT
3106
0
Mail Spam
COMPOSITE
CONTEXT
3107
0
Majordomo Execute
Attack
COMPOSITE
CONTENT
3108
0
MIME Overflow Bug
COMPOSITE
CONTENT
3109
0
Q-Mail Length Crash
COMPOSITE
CONTENT
3110
0
Suspicious Mail
Attachment
COMPOSITE
CONTENT
3150
0
FTP Remote
Command Execution
COMPOSITE
CONTENT
3151
0
FTP SYST Command
Attempt
COMPOSITE
CONTENT
3152
0
FTP CWD ~root
COMPOSITE
CONTENT
3153
0
FTP Improper
Address Specified
ATOMIC
CONTENT
3154
0
FTP Improper Port
Specified
ATOMIC
CONTENT
3155
0
FTP RETR Pipe
Filename Command
Execution
ATOMIC
CONTENT
3156
0
FTP STOR Pipe
Filename Command
Execution
ATOMIC
CONTENT
3157
0
FTP PASV Port Spoof
COMPOSITE
CONTENT
3200
0
WWW Phf Attack
COMPOSITE
CONTENT
3201
0
WWW General cgi-
bin Attack
COMPOSITE
CONTENT
3202
0
WWW .url File
Requested
COMPOSITE
CONTENT
3203
0
WWW .lnk File
Requested
COMPOSITE
CONTENT
3204
0
WWW .bat File
Requested
COMPOSITE
CONTENT
3205
0
HTML File Has .url
Link
COMPOSITE
CONTENT
3206
0
HTML File Has .lnk
Link
COMPOSITE
CONTENT
3207
0
HTML File Has .bat
Link
COMPOSITE
CONTENT
3208
0
WWW campas Attack
COMPOSITE
CONTENT
3209
0
WWW Glimpse
Server Attack
COMPOSITE
CONTENT
3210
0
WWW IIS View
Source Attack
COMPOSITE
CONTENT
A-6
Cisco Secure Intrusion Detection System 2.1
Copyright
2001, Cisco Systems, Inc.
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
3211
0
WWW IIS Hex View
Source Attack
COMPOSITE
CONTENT
3212
0
WWW NPH-TEST-
CGI Attack
COMPOSITE
CONTENT
3213
0
WWW TEST-CGI
Attack
COMPOSITE
CONTENT
3214
0
IIS DOT DOT VIEW
Attack
COMPOSITE
CONTENT
3215
0
IIS DOT DOT
EXECUTE Attack
COMPOSITE
CONTENT
3216
0
IIS Dot Dot Crash
Attack
COMPOSITE
CONTENT
3217
0
WWW php View File
Attack
COMPOSITE
CONTENT
3218
0
WWW SGI Wrap
Attack
COMPOSITE
CONTENT
3219
0
WWW PHP Buffer
Overflow
COMPOSITE
CONTENT
3220
0
IIS Long URL Crash
Bug
COMPOSITE
CONTENT
3221
0
WWW cgi-viewsource
Attack
COMPOSITE
CONTENT
3222
0
WWW PHP Log
Scripts Read Attack
COMPOSITE
CONTENT
3223
0
WWW IRIX cgi-
handler Attack
COMPOSITE
CONTENT
3224
0
HTTP WebGais
COMPOSITE
CONTENT
3225
0
HTTP Gais
Websendmail
COMPOSITE
CONTENT
3226
0
WWW Webdist Bug
COMPOSITE
CONTENT
3227
0
WWW Htmlscript Bug
COMPOSITE
CONTENT
3228
0
WWW Performer Bug
COMPOSITE
CONTENT
3229
0
Website Win-C-
Sample Buffer
Overflow
COMPOSITE
CONTENT
3230
0
Website Uploader
COMPOSITE
CONTENT
3231
0
Novell convert
COMPOSITE
CONTENT
3232
0
WWW finger attempt
COMPOSITE
CONTENT
3233
0
WWW count-cgi
Overflow
COMPOSITE
CONTEXT
3250
0
TCP Hijack
COMPOSITE
CONTEXT
3251
0
TCP Hijacking
Simplex Mode
COMPOSITE
CONTEXT
3300
0
NetBIOS OOB Data
ATOMIC
CONTEXT
3301
0
NETBIOS Stat
ATOMIC
CONTENT
Copyright
2001, Cisco Systems, Inc.
Cisco Intrusion Detection System Signature Structures and Implementation
A-7
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
3302
0
NETBIOS Session
Setup Failure
ATOMIC
CONTEXT
3303
0
Windows Guest
Login
ATOMIC
CONTENT
3304
0
Windows Null
Account Name
ATOMIC
CONTENT
3305
0
Windows Password
File Access
ATOMIC
CONTENT
3306
0
Windows Registry
Access
ATOMIC
CONTENT
3307
0
Windows Redbutton
Attack
COMPOSITE
CONTENT
3308
0
Windows LSARPC
Access
ATOMIC
CONTENT
3309
0
Windows SRVSVC
Access
ATOMIC
CONTENT
3400
0
Sunkill
COMPOSITE
CONTENT
3401
0
Telnet-IFS Match
COMPOSITE
CONTENT
3450
0
Finger Bomb
ATOMIC
CONTENT
3500
0
Rlogin -froot Attack
COMPOSITE
CONTENT
3525
0
IMAP Authenticate
Buffer Overflow
COMPOSITE
CONTENT
3526
0
Imap Login Buffer
Overflow
COMPOSITE
CONTENT
3530
0
Cisco Secure ACS
Oversized TACACS+
Attack
ATOMIC
CONTENT
3540
0
Cisco Secure ACS
CSAdmin Attack
ATOMIC
CONTEXT
3550
0
POP Buffer Overflow
COMPOSITE
CONTENT
3575
0
INN Buffer Overflow
COMPOSITE
CONTEXT
3576
0
INN Control Message
Exploit
COMPOSITE
CONTENT
3600
0
IOS Telnet Buffer
Overflow
COMPOSITE
CONTENT
3601
0
IOS Command
History Exploit
COMPOSITE
CONTENT
3602
0
Cisco IOS Identity
ATOMIC
CONTENT
3603
0
IOS Enable Bypass
COMPOSITE
CONTENT
3650
0
SSH RSAREF2 Buffer
Overflow
COMPOSITE
CONTEXT
3990
0
BackOrifice BO2K
TCP Non Stealth
COMPOSITE
CONTENT
3991
0
BackOrifice BO2K
TCP Stealth 1
COMPOSITE
CONTENT
A-8
Cisco Secure Intrusion Detection System 2.1
Copyright
2001, Cisco Systems, Inc.
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
3992
0
BackOrifice BO2K
TCP Stealth 2
COMPOSITE
CONTENT
4000
0
UDP Packet
ATOMIC
CONTEXT
4001
0
UDP Port Sweep
COMPOSITE
CONTEXT
4002
0
UDP Flood
COMPOSITE
CONTEXT
4050
0
UDP Bomb
ATOMIC
CONTEXT
4051
0
Snork
ATOMIC
CONTEXT
4052
0
Chargen DoS
ATOMIC
CONTEXT
4053
0
Back Orifice
COMPOSITE
CONTENT
4054
0
RIP Trace
ATOMIC
CONTENT
4055
0
BackOrifice BO2K
UDP
COMPOSITE
CONTENT
4100
0
Tftp Passwd File
COMPOSITE
CONTENT
4150
0
Ascend Denial of
Service
COMPOSITE
CONTENT
4600
0
IOS UDP Bomb
COMPOSITE
CONTEXT
5034
0
WWW IIS newdsn
attack
COMPOSITE
CONTENT
5035
0
HTTP cgi HylaFAX
Faxsurvey
COMPOSITE
CONTENT
5036
0
WWW Windows
Password File
Access Attempt
COMPOSITE
CONTENT
5037
0
WWW SGI
MachineInfo Attack
COMPOSITE
CONTENT
5038
0
WWW wwwsql file
read Bug
COMPOSITE
CONTENT
5039
0
WWW finger attempt
COMPOSITE
CONTENT
5040
0
WWW Perl Interpreter
Attack
COMPOSITE
CONTENT
5041
0
WWW anyform attack
COMPOSITE
CONTENT
5042
0
WWW CGI Valid Shell
Access
COMPOSITE
CONTENT
5043
0
WWW Cold Fusion
Attack
COMPOSITE
CONTENT
5044
0
WWW Webcom.se
Guestbook attack
COMPOSITE
CONTENT
5045
0
WWW xterm display
attack
COMPOSITE
CONTENT
5046
0
WWW dumpenv.pl
recon
COMPOSITE
CONTENT
5047
0
WWW Server Side
Include POST attack
COMPOSITE
CONTENT
5048
0
WWW IIS BAT EXE
attack
COMPOSITE
CONTENT
Copyright
2001, Cisco Systems, Inc.
Cisco Intrusion Detection System Signature Structures and Implementation
A-9
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
attack
5049
0
WWW IIS
showcode.asp
access
COMPOSITE
CONTENT
5050
0
WWW IIS .htr
Overflow Attack
COMPOSITE
CONTENT
5051
0
IIS Double Byte Code
Page
ATOMIC
CONTENT
5052
0
FrontPage
Extensions PWD
Open Attempt
ATOMIC
CONTENT
5053
0
FrontPage _vti_bin
Directory List Attempt
ATOMIC
CONTENT
5054
0
WWWBoard
Password
ATOMIC
CONTENT
5055
0
HTTP Basic
Authentication
Overflow
COMPOSITE
CONTENT
5056
0
WWW Cisco IOS %%
DoS
COMPOSITE
CONTENT
5057
0
WWW Sambar
Samples
COMPOSITE
CONTENT
5058
0
WWW info2www
Attack
COMPOSITE
CONTENT
5059
0
WWW Alibaba Attack
COMPOSITE
CONTENT
5060
0
WWW Excite AT-
generate.cgi Access
COMPOSITE
CONTENT
5061
0
WWW
catalog_type.asp
Access
COMPOSITE
CONTENT
5062
0
WWW classifieds.cgi
Attack
COMPOSITE
CONTENT
5063
0
WWW
dmblparser.exe
Access
COMPOSITE
CONTENT
5064
0
WWW imagemap.cgi
Attack
COMPOSITE
CONTENT
5065
0
WWW IRIX
infosrch.cgi Attack
COMPOSITE
CONTENT
5066
0
WWW man.sh
Access
COMPOSITE
CONTENT
5067
0
WWW plusmail Attack COMPOSITE
CONTENT
5068
0
WWW formmail.pl
Access
COMPOSITE
CONTENT
5069
0
WWW whois_raw.cgi
Attack
COMPOSITE
CONTENT
5070
0
WWW msadcs.dll
Access
COMPOSITE
CONTENT
A-10
Cisco Secure Intrusion Detection System 2.1
Copyright
2001, Cisco Systems, Inc.
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
5071
0
WWW msacds.dll
Attack
COMPOSITE
CONTENT
5072
0
WWW bizdb1-
search.cgi Attack
COMPOSITE
CONTENT
5073
0
WWW EZshopper
loadpage.cgi Attack
COMPOSITE
CONTENT
5074
0
WWW EZshopper
search.cgi Attack
COMPOSITE
CONTENT
5075
0
WWW IIS Virtualized
UNC Bug
COMPOSITE
CONTENT
5076
0
WWW webplus bug
COMPOSITE
CONTENT
5077
0
WWW Excite AT-
admin.cgi Access
COMPOSITE
CONTENT
5078
0
WWW Piranha
passwd attack
COMPOSITE
CONTENT
5079
0
WWW PCCS MySQL
Admin Access
ATOMIC
CONTENT
5080
0
WWW IBM
WebSphere Access
ATOMIC
CONTENT
5081
0
WWW WinNT
cmd.exe Access
ATOMIC
CONTENT
5082
0
WWW Roxen %00
Access
ATOMIC
CONTENT
5083
0
WWW Virtual Vision
FTP Browser Access
ATOMIC
CONTENT
5084
0
WWW Alibaba Attack
2
ATOMIC
CONTENT
5085
0
WWW IIS Source
Fragment Access
ATOMIC
CONTENT
5086
0
WWW WEBactive
Logfile Access
ATOMIC
CONTENT
5087
0
WWW Sun Java
Server Access
ATOMIC
CONTENT
5088
0
WWW Akopia
MiniVend Access
ATOMIC
CONTENT
5089
0
WWW Big Brother
Directory Access
ATOMIC
CONTENT
5090
0
WWW FrontPage
htimage.exe Access
ATOMIC
CONTENT
5091
0
WWW Cart32
Remote Admin
Access
COMPOSITE
CONTENT
5092
0
WWW CGI-World Poll
It Access
ATOMIC
CONTENT
5093
0
WWW PHP-Nuke
admin.php3 Access
ATOMIC
CONTENT
5095
0
WWW CGI Script
Center Account
Manager Attack
ATOMIC
CONTENT
Copyright
2001, Cisco Systems, Inc.
Cisco Intrusion Detection System Signature Structures and Implementation
A-11
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
Manager Attack
5096
0
WWW CGI Script
Center Subscribe Me
Attack
ATOMIC
CONTENT
5097
0
WWW FrontPage MS-
DOS Device Attack
COMPOSITE
CONTENT
5099
0
WWW GWScripts
News Publisher
Access
ATOMIC
CONTENT
5100
0
WWW CGI Center
Auction Weaver File
Access
ATOMIC
CONTENT
5101
0
WWW CGI Center
Auction Weaver Attack
ATOMIC
CONTENT
5102
0
WWW
phpPhotoAlbum
explorer.php Access
ATOMIC
CONTENT
5103
0
WWW SuSE Apache
CGI Source Access
ATOMIC
CONTENT
5104
0
WWW YaBB File
Access
ATOMIC
CONTENT
5105
0
WWW Ranson
Johnson mailto.cgi
Attack
ATOMIC
CONTENT
5106
0
WWW Ranson
Johnson mailform.pl
Access
ATOMIC
CONTENT
5107
0
WWW Mandrake
Linux /perl Access
ATOMIC
CONTENT
5108
0
WWW Netegrity Site
Minder Access
ATOMIC
CONTENT
5109
0
WWW Sambar Beta
search.dll Access
ATOMIC
CONTENT
5110
0
WWW SuSE Installed
Packages Access
ATOMIC
CONTENT
5111
0
WWW Solaris
Answerbook 2
Access
ATOMIC
CONTENT
5112
0
WWW Solaris
Answerbook 2 Attack
ATOMIC
CONTENT
5113
0
WWW CommuniGate
Pro Access
ATOMIC
CONTENT
5114
0
WWW IIS Unicode
Attack
ATOMIC
CONTENT
6001
0
Normal SATAN Probe
COMPOSITE
CONTENT
6002
0
Heavy SATAN Probe
COMPOSITE
CONTENT
6050
0
DNS HINFO Request
ATOMIC
CONTENT
6051
0
DNS Zone Transfer
ATOMIC
CONTENT
A-12
Cisco Secure Intrusion Detection System 2.1
Copyright
2001, Cisco Systems, Inc.
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
6052
0
DNS Zone Transfer
from High Port
ATOMIC
CONTENT
6053
0
DNS Request for All
Records
ATOMIC
CONTENT
6054
0
DNS Version
Request
ATOMIC
CONTENT
6055
0
DNS Inverse Query
Buffer Overflow
ATOMIC
CONTENT
6056
0
BIND NXT Buffer
Overflow
COMPOSITE
CONTENT
6057
0
BIND SIG Buffer
Overflow
COMPOSITE
CONTEXT
6100
0
RPC Port
Registration
ATOMIC
CONTENT
6101
0
RPC Port
Unregistration
ATOMIC
CONTENT
6102
0
RPC Dump
ATOMIC
CONTENT
6103
0
Proxied RPC
Request
ATOMIC
CONTENT
6104
0
RPC Set Spoof
ATOMIC
CONTENT
6105
0
RPC Unset Spoof
ATOMIC
CONTENT
6110
0
RPC RSTATD Sweep
COMPOSITE
CONTEXT
6111
0
RPC RUSERSD
Sweep
COMPOSITE
CONTEXT
6112
0
RPC NFS Sweep
COMPOSITE
CONTEXT
6113
0
RPC MOUNTD
Sweep
COMPOSITE
CONTEXT
6114
0
RPC YPPASSWDD
Sweep
COMPOSITE
CONTEXT
6115
0
RPC
SELECTION_SVC
Sweep
COMPOSITE
CONTEXT
6116
0
RPC REXD Sweep
COMPOSITE
CONTEXT
6117
0
RPC STATUS Sweep
COMPOSITE
CONTEXT
6118
0
RPC ttdb Sweep
COMPOSITE
CONTENT
6150
0
ypserv Portmap
Request
ATOMIC
CONTENT
6151
0
ypbind Portmap
Request
ATOMIC
CONTENT
6152
0
yppasswdd Portmap
Request
ATOMIC
CONTENT
6153
0
ypupdated Portmap
Request
ATOMIC
CONTENT
6154
0
ypxfrd Portmap
Request
ATOMIC
CONTENT
Copyright
2001, Cisco Systems, Inc.
Cisco Intrusion Detection System Signature Structures and Implementation
A-13
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
6155
0
mountd Portmap
Request
ATOMIC
CONTENT
6175
0
rexd Portmap
Request
ATOMIC
CONTENT
6180
0
rexd Attempt
ATOMIC
CONTEXT
6190
0
statd Buffer Overflow
COMPOSITE
CONTEXT
6191
0
RPC.tooltalk buffer
overflow
COMPOSITE
CONTENT
6192
0
RPC mountd Buffer
Overflow
COMPOSITE
CONTENT
6193
0
RPC CMSD Buffer
Overflow
ATOMIC
CONTENT
6194
0
sadmind RPC Buffer
Overflow
ATOMIC
CONTENT
6195
0
RPC amd Buffer
Overflow
COMPOSITE
CONTENT
6200
0
Ident Buffer Overflow
COMPOSITE
CONTENT
6201
0
Ident Newline
COMPOSITE
CONTENT
6202
0
Ident Improper
Request
COMPOSITE
CONTENT
6250
0
FTP Authorization
Failure
COMPOSITE
CONTENT
6251
0
Telnet Authorization
Failure
COMPOSITE
CONTENT
6252
0
Rlogin Authorization
Failure
COMPOSITE
CONTENT
6253
0
POP3 Authorization
Failure
COMPOSITE
CONTENT
6255
0
SMB Authorization
Failure
COMPOSITE
CONTENT
6300
0
Loki ICMP Tunnelling
COMPOSITE
CONTEXT
6302
0
General Loki ICMP
Tunneling
COMPOSITE
CONTEXT
6500
0
RingZero Trojan
COMPOSITE
CONTENT
6501
0
TFN Client Request
COMPOSITE
CONTENT
6502
0
TFN Server Reply
COMPOSITE
CONTENT
6503
0
Stacheldraht Client
Request
COMPOSITE
CONTENT
6504
0
Stacheldraht Server
Reply
COMPOSITE
CONTENT
6505
0
Trinoo Client
Request
COMPOSITE
CONTENT
6506
0
Trinoo Server Reply
COMPOSITE
CONTENT
6507
0
TFN2K Control Traffic
COMPOSITE
CONTENT
A-14
Cisco Secure Intrusion Detection System 2.1
Copyright
2001, Cisco Systems, Inc.
CIDS Signature ID
CIDS Sub Signature
ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
6508
0
Mstream Control
Traffic
COMPOSITE
CONTENT
8000
2302
Telnet-/etc/shadow
Match
COMPOSITE
CONTENT
8000
2101
FTP Retrieve
Password File
COMPOSITE
CONTENT
8000
2303
Telnet-+ +
COMPOSITE
CONTENT
8000
51301
Rlogin-IFS Match
COMPOSITE
CONTENT
8000
51302
Rlogin-/etc/shadow
Match
COMPOSITE
CONTENT
8000
51303
Rlogin-+ +
COMPOSITE
CONTENT