Intruder Alert!
How did I learn the basics about network attack signatures?
Using the Cisco IOS Firewall IDS Signature List.
59 basic attack signatures
The signatures are categorized into four types:
(Info Atomic) -Information-gathering actions such as a port scans.
Example:
2005 ICMP Time Exceeded for a Datagram (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 11
(Info Compound)-Attacks attempted into the guarded network.
Example:
3151 FTP SYST Command Attempt (Info, Compound)
Triggers when someone tries to execute the FTP SYST command.
(Attack Atomic) - Simple intrusion patterns
Example:
1101 Unknown IP Protocol (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field set to 101 or greater. These protocol types are undefined or reserved and should not be used
(Attack Compound)- Intricate patterns or series of operations divided across many host over a specific period.
Example:
3050 Half-open SYN Attack/SYN Flood (Attack, Compound)
Triggers when multiple TCP sessions have been improperly initiated
Very good article at http://ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/CIDS-Log-Files.html
Enjoy!
No comments:
Post a Comment