Filter
Top Products
B-74
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Traffic ICMP Engine
For More Information
For more information on the parameters common to all signature engines, see Master Engine, page B-4.
Traffic ICMP Engine
The Traffic ICMP engine analyzes nonstandard protocols, such as TFN2K, LOKI, and DDoS. There are
only two signatures (based on the LOKI protocol) with user-configurable parameters.
TFN2K is the newer version of the TFN. It is a DDoS agent that is used to control coordinated attacks
by infected computers (zombies) to target a single computer (or domain) with bogus traffic floods from
hundreds or thousands of unknown attacking hosts. TFN2K sends randomized packet header
information, but it has two discriminators that can be used to define signatures. One is whether the L3
checksum is incorrect and the other is whether the character 64 ‘A’ is found at the end of the payload.
TFN2K can run on any port and can communicate with ICMP, TCP, UDP, or a combination of these
protocols.
13004 1 External UDP Scanner Identified a worm attack over a UDP protocol
in the external zone; the UDP histogram
threshold was crossed and a scanner over a
UDP protocol was identified.
13005 0 External Other Scanner Identified a single scanner over an Other
protocol in the external zone.
13005 1 External Other Scanner Identified a worm attack over an Other
protocol in the external zone; the Other
histogram threshold was crossed and a scanner
over an Other protocol was identified.
13006 0 Illegal TCP Scanner Identified a single scanner over a TCP
protocol in the illegal zone.
13006 1 Illegal TCP Scanner Identified a worm attack over a TCP protocol
in the illegal zone; the TCP histogram
threshold was crossed and a scanner over a
TCP protocol was identified.
13007 0 Illegal UDP Scanner Identified a single scanner over a UDP
protocol in the illegal zone.
13007 1 Illegal UDP Scanner Identified a worm attack over a UDP protocol
in the illegal zone; the UDP histogram
threshold was crossed and a scanner over a
UDP protocol was identified.
13008 0 Illegal Other Scanner Identified a single scanner over an Other
protocol in the illegal zone.
13008 1 Illegal Other Scanner Identified a worm attack over an Other
protocol in the illegal zone; the Other
histogram threshold was crossed and a scanner
over an Other protocol was identified.
Table B-39 Anomaly Detection Worm Signatures (continued)
Signature
ID
Subsignature
ID Name Description