A

Cisco Intrusion
Detection System
Signature Structures
and Implementations

A-2

Cisco Secure Intrusion Detection System 2.1

Copyright



2001, Cisco Systems, Inc.

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

1000

0

IP options-Bad
Option List

ATOMIC

CONTEXT

1001

0

IP options -Record
Packet Route

ATOMIC

CONTEXT

1002

0

IP options-
Timestamp

ATOMIC

CONTEXT

1003

0

IP options-Provide s,
c, h, and tcc

ATOMIC

CONTEXT

1004

0

IP options-Loose
Source Route

ATOMIC

CONTEXT

1005

0

IP options-SATNET
ID

ATOMIC

CONTEXT

1006

0

IP options -Strict
Source Route

ATOMIC

CONTEXT

1100

0

IP Fragment Attack

ATOMIC

CONTEXT

1101

0

Unknown IP Protocol

ATOMIC

CONTEXT

1102

0

Impossible IP Packet

ATOMIC

CONTENT

1103

0

IP Fragments Overlap COMPOSITE

CONTEXT

1104

0

IP Localhost Source
Spoof

ATOMIC

CONTENT

1105

0

Broadcast Source
Address

ATOMIC

CONTENT

1106

0

Multicast Ip Source
Address

ATOMIC

CONTENT

1200

0

IP Fragmentation
Buffer Full

ATOMIC

CONTENT

1201

0

IP Fragment Overlap

ATOMIC

CONTENT

1202

0

IP Fragment Overrun
- Datagram Too Long

ATOMIC

CONTENT

1203

0

IP Fragment
Overwrite - Data is
Overwritten

ATOMIC

CONTENT

1204

0

IP Fragment Missing
Initial Fragment

ATOMIC

CONTENT

1205

0

IP Fragment Too
Many Datagrams

ATOMIC

CONTENT

1206

0

IP Fragment Too
Small

ATOMIC

CONTENT

1207

0

IP Fragment Too
Many Frags

ATOMIC

CONTENT

1208

0

IP Fragment
Incomplete Datagram

ATOMIC

CONTENT

1220

0

Jolt2 Fragment
Reassembly DoS
attack

COMPOSITE

CONTENT

Copyright



2001, Cisco Systems, Inc.

Cisco Intrusion Detection System Signature Structures and Implementation

A-3

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

2000

0

ICMP Echo Reply

ATOMIC

CONTEXT

2001

0

ICMP Host
Unreachable

ATOMIC

CONTEXT

2002

0

ICMP Source Quench

ATOMIC

CONTEXT

2003

0

ICMP Redirect

ATOMIC

CONTEXT

2004

0

ICMP Echo Request

ATOMIC

CONTEXT

2005

0

ICMP Time Exceeded
for a Datagram

ATOMIC

CONTEXT

2006

0

ICMP Parameter
Problem on
Datagram

ATOMIC

CONTEXT

2007

0

ICMP Timestamp
Request

ATOMIC

CONTEXT

2008

0

ICMP Timestamp
Reply

ATOMIC

CONTEXT

2009

0

ICMP Information
Request

ATOMIC

CONTEXT

2010

0

ICMP Information
Reply

ATOMIC

CONTEXT

2011

0

ICMP Address Mask
Request

ATOMIC

CONTEXT

2012

0

ICMP Address Mask
Reply

ATOMIC

CONTEXT

2100

0

ICMP Network Sweep
w/Echo

COMPOSITE

CONTEXT

2101

0

ICMP Network Sweep
w/Timestamp

COMPOSITE

CONTEXT

2102

0

ICMP Network Sweep
w/Address Mask

COMPOSITE

CONTEXT

2150

0

Fragmented ICMP
Traffic

ATOMIC

CONTEXT

2151

0

Large ICMP Traffic

ATOMIC

CONTEXT

2152

0

ICMP Flood

COMPOSITE

CONTEXT

2153

0

Smurf

COMPOSITE

CONTEXT

2154

0

Ping of Death Attack

ATOMIC

CONTEXT

3000

0

TCP Ports

ATOMIC

CONTEXT

3001

0

TCP Port Sweep

COMPOSITE

CONTEXT

3002

0

TCP SYN Port Sweep

COMPOSITE

CONTEXT

3003

0

TCP Frag SYN Port
Sweep

COMPOSITE

CONTEXT

3005

0

TCP FIN Port Sweep

COMPOSITE

CONTEXT

3006

0

TCP Frag FIN Port
Sweep

COMPOSITE

CONTEXT

3010

0

TCP High Port Sweep COMPOSITE

CONTEXT

A-4

Cisco Secure Intrusion Detection System 2.1

Copyright



2001, Cisco Systems, Inc.

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

3011

0

TCP FIN High Port
Sweep

COMPOSITE

CONTEXT

3012

0

TCP Frag FIN High
Port Sweep

COMPOSITE

CONTEXT

3015

0

TCP Null Port Sweep

COMPOSITE

CONTEXT

3016

0

TCP Frag Null Port
Sweep

COMPOSITE

CONTEXT

3020

0

TCP SYN FIN Port
Sweep

COMPOSITE

CONTEXT

3021

0

TCP Frag SYN FIN
Port Sweep

COMPOSITE

CONTEXT

3030

0

TCP SYN Host
Sweep

COMPOSITE

CONTEXT

3031

0

TCP FRAG SYN Host
Sweep

COMPOSITE

CONTEXT

3032

0

TCP FIN Host Sweep

COMPOSITE

CONTEXT

3033

0

TCP FRAG FIN Host
Sweep

COMPOSITE

CONTEXT

3034

0

TCP NULL Host
Sweep

COMPOSITE

CONTEXT

3035

0

TCP FRAG NULL
Host Sweep

COMPOSITE

CONTEXT

3036

0

TCP SYN FIN Host
Sweep

COMPOSITE

CONTEXT

3037

0

TCP FRAG SYN FIN
Host Sweep

COMPOSITE

CONTEXT

3038

0

Fragmented NULL
TCP Packet

ATOMIC

CONTEXT

3039

0

Fragmented
Orphaned FIN packet

ATOMIC

CONTEXT

3040

0

NULL TCP Packet

ATOMIC

CONTEXT

3041

0

SYN/FIN Packet

ATOMIC

CONTEXT

3042

0

Orphaned Fin Packet

ATOMIC

CONTEXT

3043

0

Fragmented SYN/FIN
Packet

ATOMIC

CONTENT

3045

0

Queso Sweep

COMPOSITE

CONTEXT

3050

0

Half-open SYN Attack

COMPOSITE

CONTEXT

3100

0

Smail Attack

COMPOSITE

CONTENT

3101

0

Sendmail Invalid
Recipient

COMPOSITE

CONTENT

3102

0

Sendmail Invalid
Sender

COMPOSITE

CONTENT

3103

0

Sendmail
Reconnaissance

COMPOSITE

CONTENT

3104

0

Archaic Sendmail
Attacks

COMPOSITE

CONTENT

Copyright



2001, Cisco Systems, Inc.

Cisco Intrusion Detection System Signature Structures and Implementation

A-5

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

Attacks

3105

0

Sendmail Decode
Alias

COMPOSITE

CONTENT

3106

0

Mail Spam

COMPOSITE

CONTEXT

3107

0

Majordomo Execute
Attack

COMPOSITE

CONTENT

3108

0

MIME Overflow Bug

COMPOSITE

CONTENT

3109

0

Q-Mail Length Crash

COMPOSITE

CONTENT

3110

0

Suspicious Mail
Attachment

COMPOSITE

CONTENT

3150

0

FTP Remote
Command Execution

COMPOSITE

CONTENT

3151

0

FTP SYST Command
Attempt

COMPOSITE

CONTENT

3152

0

FTP CWD ~root

COMPOSITE

CONTENT

3153

0

FTP Improper
Address Specified

ATOMIC

CONTENT

3154

0

FTP Improper Port
Specified

ATOMIC

CONTENT

3155

0

FTP RETR Pipe
Filename Command
Execution

ATOMIC

CONTENT

3156

0

FTP STOR Pipe
Filename Command
Execution

ATOMIC

CONTENT

3157

0

FTP PASV Port Spoof

COMPOSITE

CONTENT

3200

0

WWW Phf Attack

COMPOSITE

CONTENT

3201

0

WWW General cgi-
bin Attack

COMPOSITE

CONTENT

3202

0

WWW .url File
Requested

COMPOSITE

CONTENT

3203

0

WWW .lnk File
Requested

COMPOSITE

CONTENT

3204

0

WWW .bat File
Requested

COMPOSITE

CONTENT

3205

0

HTML File Has .url
Link

COMPOSITE

CONTENT

3206

0

HTML File Has .lnk
Link

COMPOSITE

CONTENT

3207

0

HTML File Has .bat
Link

COMPOSITE

CONTENT

3208

0

WWW campas Attack

COMPOSITE

CONTENT

3209

0

WWW Glimpse
Server Attack

COMPOSITE

CONTENT

3210

0

WWW IIS View
Source Attack

COMPOSITE

CONTENT

A-6

Cisco Secure Intrusion Detection System 2.1

Copyright



2001, Cisco Systems, Inc.

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

3211

0

WWW IIS Hex View
Source Attack

COMPOSITE

CONTENT

3212

0

WWW NPH-TEST-
CGI Attack

COMPOSITE

CONTENT

3213

0

WWW TEST-CGI
Attack

COMPOSITE

CONTENT

3214

0

IIS DOT DOT VIEW
Attack

COMPOSITE

CONTENT

3215

0

IIS DOT DOT
EXECUTE Attack

COMPOSITE

CONTENT

3216

0

IIS Dot Dot Crash
Attack

COMPOSITE

CONTENT

3217

0

WWW php View File
Attack

COMPOSITE

CONTENT

3218

0

WWW SGI Wrap
Attack

COMPOSITE

CONTENT

3219

0

WWW PHP Buffer
Overflow

COMPOSITE

CONTENT

3220

0

IIS Long URL Crash
Bug

COMPOSITE

CONTENT

3221

0

WWW cgi-viewsource
Attack

COMPOSITE

CONTENT

3222

0

WWW PHP Log
Scripts Read Attack

COMPOSITE

CONTENT

3223

0

WWW IRIX cgi-
handler Attack

COMPOSITE

CONTENT

3224

0

HTTP WebGais

COMPOSITE

CONTENT

3225

0

HTTP Gais
Websendmail

COMPOSITE

CONTENT

3226

0

WWW Webdist Bug

COMPOSITE

CONTENT

3227

0

WWW Htmlscript Bug

COMPOSITE

CONTENT

3228

0

WWW Performer Bug

COMPOSITE

CONTENT

3229

0

Website Win-C-
Sample Buffer
Overflow

COMPOSITE

CONTENT

3230

0

Website Uploader

COMPOSITE

CONTENT

3231

0

Novell convert

COMPOSITE

CONTENT

3232

0

WWW finger attempt

COMPOSITE

CONTENT

3233

0

WWW count-cgi
Overflow

COMPOSITE

CONTEXT

3250

0

TCP Hijack

COMPOSITE

CONTEXT

3251

0

TCP Hijacking
Simplex Mode

COMPOSITE

CONTEXT

3300

0

NetBIOS OOB Data

ATOMIC

CONTEXT

3301

0

NETBIOS Stat

ATOMIC

CONTENT

Copyright



2001, Cisco Systems, Inc.

Cisco Intrusion Detection System Signature Structures and Implementation

A-7

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

3302

0

NETBIOS Session
Setup Failure

ATOMIC

CONTEXT

3303

0

Windows Guest
Login

ATOMIC

CONTENT

3304

0

Windows Null
Account Name

ATOMIC

CONTENT

3305

0

Windows Password
File Access

ATOMIC

CONTENT

3306

0

Windows Registry
Access

ATOMIC

CONTENT

3307

0

Windows Redbutton
Attack

COMPOSITE

CONTENT

3308

0

Windows LSARPC
Access

ATOMIC

CONTENT

3309

0

Windows SRVSVC
Access

ATOMIC

CONTENT

3400

0

Sunkill

COMPOSITE

CONTENT

3401

0

Telnet-IFS Match

COMPOSITE

CONTENT

3450

0

Finger Bomb

ATOMIC

CONTENT

3500

0

Rlogin -froot Attack

COMPOSITE

CONTENT

3525

0

IMAP Authenticate
Buffer Overflow

COMPOSITE

CONTENT

3526

0

Imap Login Buffer
Overflow

COMPOSITE

CONTENT

3530

0

Cisco Secure ACS
Oversized TACACS+
Attack

ATOMIC

CONTENT

3540

0

Cisco Secure ACS
CSAdmin Attack

ATOMIC

CONTEXT

3550

0

POP Buffer Overflow

COMPOSITE

CONTENT

3575

0

INN Buffer Overflow

COMPOSITE

CONTEXT

3576

0

INN Control Message
Exploit

COMPOSITE

CONTENT

3600

0

IOS Telnet Buffer
Overflow

COMPOSITE

CONTENT

3601

0

IOS Command
History Exploit

COMPOSITE

CONTENT

3602

0

Cisco IOS Identity

ATOMIC

CONTENT

3603

0

IOS Enable Bypass

COMPOSITE

CONTENT

3650

0

SSH RSAREF2 Buffer
Overflow

COMPOSITE

CONTEXT

3990

0

BackOrifice BO2K
TCP Non Stealth

COMPOSITE

CONTENT

3991

0

BackOrifice BO2K
TCP Stealth 1

COMPOSITE

CONTENT

A-8

Cisco Secure Intrusion Detection System 2.1

Copyright



2001, Cisco Systems, Inc.

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

3992

0

BackOrifice BO2K
TCP Stealth 2

COMPOSITE

CONTENT

4000

0

UDP Packet

ATOMIC

CONTEXT

4001

0

UDP Port Sweep

COMPOSITE

CONTEXT

4002

0

UDP Flood

COMPOSITE

CONTEXT

4050

0

UDP Bomb

ATOMIC

CONTEXT

4051

0

Snork

ATOMIC

CONTEXT

4052

0

Chargen DoS

ATOMIC

CONTEXT

4053

0

Back Orifice

COMPOSITE

CONTENT

4054

0

RIP Trace

ATOMIC

CONTENT

4055

0

BackOrifice BO2K
UDP

COMPOSITE

CONTENT

4100

0

Tftp Passwd File

COMPOSITE

CONTENT

4150

0

Ascend Denial of
Service

COMPOSITE

CONTENT

4600

0

IOS UDP Bomb

COMPOSITE

CONTEXT

5034

0

WWW IIS newdsn
attack

COMPOSITE

CONTENT

5035

0

HTTP cgi HylaFAX
Faxsurvey

COMPOSITE

CONTENT

5036

0

WWW Windows
Password File
Access Attempt

COMPOSITE

CONTENT

5037

0

WWW SGI
MachineInfo Attack

COMPOSITE

CONTENT

5038

0

WWW wwwsql file
read Bug

COMPOSITE

CONTENT

5039

0

WWW finger attempt

COMPOSITE

CONTENT

5040

0

WWW Perl Interpreter
Attack

COMPOSITE

CONTENT

5041

0

WWW anyform attack

COMPOSITE

CONTENT

5042

0

WWW CGI Valid Shell
Access

COMPOSITE

CONTENT

5043

0

WWW Cold Fusion
Attack

COMPOSITE

CONTENT

5044

0

WWW Webcom.se
Guestbook attack

COMPOSITE

CONTENT

5045

0

WWW xterm display
attack

COMPOSITE

CONTENT

5046

0

WWW dumpenv.pl
recon

COMPOSITE

CONTENT

5047

0

WWW Server Side
Include POST attack

COMPOSITE

CONTENT

5048

0

WWW IIS BAT EXE
attack

COMPOSITE

CONTENT

Copyright



2001, Cisco Systems, Inc.

Cisco Intrusion Detection System Signature Structures and Implementation

A-9

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

attack

5049

0

WWW IIS
showcode.asp
access

COMPOSITE

CONTENT

5050

0

WWW IIS .htr
Overflow Attack

COMPOSITE

CONTENT

5051

0

IIS Double Byte Code
Page

ATOMIC

CONTENT

5052

0

FrontPage
Extensions PWD
Open Attempt

ATOMIC

CONTENT

5053

0

FrontPage _vti_bin
Directory List Attempt

ATOMIC

CONTENT

5054

0

WWWBoard
Password

ATOMIC

CONTENT

5055

0

HTTP Basic
Authentication
Overflow

COMPOSITE

CONTENT

5056

0

WWW Cisco IOS %%
DoS

COMPOSITE

CONTENT

5057

0

WWW Sambar
Samples

COMPOSITE

CONTENT

5058

0

WWW info2www
Attack

COMPOSITE

CONTENT

5059

0

WWW Alibaba Attack

COMPOSITE

CONTENT

5060

0

WWW Excite AT-
generate.cgi Access

COMPOSITE

CONTENT

5061

0

WWW
catalog_type.asp
Access

COMPOSITE

CONTENT

5062

0

WWW classifieds.cgi
Attack

COMPOSITE

CONTENT

5063

0

WWW
dmblparser.exe
Access

COMPOSITE

CONTENT

5064

0

WWW imagemap.cgi
Attack

COMPOSITE

CONTENT

5065

0

WWW IRIX
infosrch.cgi Attack

COMPOSITE

CONTENT

5066

0

WWW man.sh
Access

COMPOSITE

CONTENT

5067

0

WWW plusmail Attack COMPOSITE

CONTENT

5068

0

WWW formmail.pl
Access

COMPOSITE

CONTENT

5069

0

WWW whois_raw.cgi
Attack

COMPOSITE

CONTENT

5070

0

WWW msadcs.dll
Access

COMPOSITE

CONTENT

A-10

Cisco Secure Intrusion Detection System 2.1

Copyright



2001, Cisco Systems, Inc.

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

5071

0

WWW msacds.dll
Attack

COMPOSITE

CONTENT

5072

0

WWW bizdb1-
search.cgi Attack

COMPOSITE

CONTENT

5073

0

WWW EZshopper
loadpage.cgi Attack

COMPOSITE

CONTENT

5074

0

WWW EZshopper
search.cgi Attack

COMPOSITE

CONTENT

5075

0

WWW IIS Virtualized
UNC Bug

COMPOSITE

CONTENT

5076

0

WWW webplus bug

COMPOSITE

CONTENT

5077

0

WWW Excite AT-
admin.cgi Access

COMPOSITE

CONTENT

5078

0

WWW Piranha
passwd attack

COMPOSITE

CONTENT

5079

0

WWW PCCS MySQL
Admin Access

ATOMIC

CONTENT

5080

0

WWW IBM
WebSphere Access

ATOMIC

CONTENT

5081

0

WWW WinNT
cmd.exe Access

ATOMIC

CONTENT

5082

0

WWW Roxen %00
Access

ATOMIC

CONTENT

5083

0

WWW Virtual Vision
FTP Browser Access

ATOMIC

CONTENT

5084

0

WWW Alibaba Attack
2

ATOMIC

CONTENT

5085

0

WWW IIS Source
Fragment Access

ATOMIC

CONTENT

5086

0

WWW WEBactive
Logfile Access

ATOMIC

CONTENT

5087

0

WWW Sun Java
Server Access

ATOMIC

CONTENT

5088

0

WWW Akopia
MiniVend Access

ATOMIC

CONTENT

5089

0

WWW Big Brother
Directory Access

ATOMIC

CONTENT

5090

0

WWW FrontPage
htimage.exe Access

ATOMIC

CONTENT

5091

0

WWW Cart32
Remote Admin
Access

COMPOSITE

CONTENT

5092

0

WWW CGI-World Poll
It Access

ATOMIC

CONTENT

5093

0

WWW PHP-Nuke
admin.php3 Access

ATOMIC

CONTENT

5095

0

WWW CGI Script
Center Account
Manager Attack

ATOMIC

CONTENT

Copyright



2001, Cisco Systems, Inc.

Cisco Intrusion Detection System Signature Structures and Implementation

A-11

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

Manager Attack

5096

0

WWW CGI Script
Center Subscribe Me
Attack

ATOMIC

CONTENT

5097

0

WWW FrontPage MS-
DOS Device Attack

COMPOSITE

CONTENT

5099

0

WWW GWScripts
News Publisher
Access

ATOMIC

CONTENT

5100

0

WWW CGI Center
Auction Weaver File
Access

ATOMIC

CONTENT

5101

0

WWW CGI Center
Auction Weaver Attack

ATOMIC

CONTENT

5102

0

WWW
phpPhotoAlbum
explorer.php Access

ATOMIC

CONTENT

5103

0

WWW SuSE Apache
CGI Source Access

ATOMIC

CONTENT

5104

0

WWW YaBB File
Access

ATOMIC

CONTENT

5105

0

WWW Ranson
Johnson mailto.cgi
Attack

ATOMIC

CONTENT

5106

0

WWW Ranson
Johnson mailform.pl
Access

ATOMIC

CONTENT

5107

0

WWW Mandrake
Linux /perl Access

ATOMIC

CONTENT

5108

0

WWW Netegrity Site
Minder Access

ATOMIC

CONTENT

5109

0

WWW Sambar Beta
search.dll Access

ATOMIC

CONTENT

5110

0

WWW SuSE Installed
Packages Access

ATOMIC

CONTENT

5111

0

WWW Solaris
Answerbook 2
Access

ATOMIC

CONTENT

5112

0

WWW Solaris
Answerbook 2 Attack

ATOMIC

CONTENT

5113

0

WWW CommuniGate
Pro Access

ATOMIC

CONTENT

5114

0

WWW IIS Unicode
Attack

ATOMIC

CONTENT

6001

0

Normal SATAN Probe

COMPOSITE

CONTENT

6002

0

Heavy SATAN Probe

COMPOSITE

CONTENT

6050

0

DNS HINFO Request

ATOMIC

CONTENT

6051

0

DNS Zone Transfer

ATOMIC

CONTENT

A-12

Cisco Secure Intrusion Detection System 2.1

Copyright



2001, Cisco Systems, Inc.

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

6052

0

DNS Zone Transfer
from High Port

ATOMIC

CONTENT

6053

0

DNS Request for All
Records

ATOMIC

CONTENT

6054

0

DNS Version
Request

ATOMIC

CONTENT

6055

0

DNS Inverse Query
Buffer Overflow

ATOMIC

CONTENT

6056

0

BIND NXT Buffer
Overflow

COMPOSITE

CONTENT

6057

0

BIND SIG Buffer
Overflow

COMPOSITE

CONTEXT

6100

0

RPC Port
Registration

ATOMIC

CONTENT

6101

0

RPC Port
Unregistration

ATOMIC

CONTENT

6102

0

RPC Dump

ATOMIC

CONTENT

6103

0

Proxied RPC
Request

ATOMIC

CONTENT

6104

0

RPC Set Spoof

ATOMIC

CONTENT

6105

0

RPC Unset Spoof

ATOMIC

CONTENT

6110

0

RPC RSTATD Sweep

COMPOSITE

CONTEXT

6111

0

RPC RUSERSD
Sweep

COMPOSITE

CONTEXT

6112

0

RPC NFS Sweep

COMPOSITE

CONTEXT

6113

0

RPC MOUNTD
Sweep

COMPOSITE

CONTEXT

6114

0

RPC YPPASSWDD
Sweep

COMPOSITE

CONTEXT

6115

0

RPC
SELECTION_SVC
Sweep

COMPOSITE

CONTEXT

6116

0

RPC REXD Sweep

COMPOSITE

CONTEXT

6117

0

RPC STATUS Sweep

COMPOSITE

CONTEXT

6118

0

RPC ttdb Sweep

COMPOSITE

CONTENT

6150

0

ypserv Portmap
Request

ATOMIC

CONTENT

6151

0

ypbind Portmap
Request

ATOMIC

CONTENT

6152

0

yppasswdd Portmap
Request

ATOMIC

CONTENT

6153

0

ypupdated Portmap
Request

ATOMIC

CONTENT

6154

0

ypxfrd Portmap
Request

ATOMIC

CONTENT

Copyright



2001, Cisco Systems, Inc.

Cisco Intrusion Detection System Signature Structures and Implementation

A-13

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

6155

0

mountd Portmap
Request

ATOMIC

CONTENT

6175

0

rexd Portmap
Request

ATOMIC

CONTENT

6180

0

rexd Attempt

ATOMIC

CONTEXT

6190

0

statd Buffer Overflow

COMPOSITE

CONTEXT

6191

0

RPC.tooltalk buffer
overflow

COMPOSITE

CONTENT

6192

0

RPC mountd Buffer
Overflow

COMPOSITE

CONTENT

6193

0

RPC CMSD Buffer
Overflow

ATOMIC

CONTENT

6194

0

sadmind RPC Buffer
Overflow

ATOMIC

CONTENT

6195

0

RPC amd Buffer
Overflow

COMPOSITE

CONTENT

6200

0

Ident Buffer Overflow

COMPOSITE

CONTENT

6201

0

Ident Newline

COMPOSITE

CONTENT

6202

0

Ident Improper
Request

COMPOSITE

CONTENT

6250

0

FTP Authorization
Failure

COMPOSITE

CONTENT

6251

0

Telnet Authorization
Failure

COMPOSITE

CONTENT

6252

0

Rlogin Authorization
Failure

COMPOSITE

CONTENT

6253

0

POP3 Authorization
Failure

COMPOSITE

CONTENT

6255

0

SMB Authorization
Failure

COMPOSITE

CONTENT

6300

0

Loki ICMP Tunnelling

COMPOSITE

CONTEXT

6302

0

General Loki ICMP
Tunneling

COMPOSITE

CONTEXT

6500

0

RingZero Trojan

COMPOSITE

CONTENT

6501

0

TFN Client Request

COMPOSITE

CONTENT

6502

0

TFN Server Reply

COMPOSITE

CONTENT

6503

0

Stacheldraht Client
Request

COMPOSITE

CONTENT

6504

0

Stacheldraht Server
Reply

COMPOSITE

CONTENT

6505

0

Trinoo Client
Request

COMPOSITE

CONTENT

6506

0

Trinoo Server Reply

COMPOSITE

CONTENT

6507

0

TFN2K Control Traffic

COMPOSITE

CONTENT

A-14

Cisco Secure Intrusion Detection System 2.1

Copyright



2001, Cisco Systems, Inc.

CIDS Signature ID

CIDS Sub Signature

ID

CIDS Signature

Name

CIDS Signature

Structure

CIDS Signature

Implementation

6508

0

Mstream Control
Traffic

COMPOSITE

CONTENT

8000

2302

Telnet-/etc/shadow
Match

COMPOSITE

CONTENT

8000

2101

FTP Retrieve
Password File

COMPOSITE

CONTENT

8000

2303

Telnet-+ +

COMPOSITE

CONTENT

8000

51301

Rlogin-IFS Match

COMPOSITE

CONTENT

8000

51302

Rlogin-/etc/shadow
Match

COMPOSITE

CONTENT

8000

51303

Rlogin-+ +

COMPOSITE

CONTENT