Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
B-75
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Trojan Engines
LOKI is a type of back door Trojan. When the computer is infected, the malicious code creates an ICMP
Tunnel that can be used to send small payload in ICMP replies (which may go straight through a firewall
if it is not configured to block ICMP.) The LOKI signatures look for an imbalance of ICMP echo requests
to replies and simple ICMP code and payload discriminators.
The DDoS category (excluding TFN2K) targets ICMP-based DDoS agents. The main tools used here are
TFN and Stacheldraht. They are similar in operation to TFN2K, but rely on ICMP only and have fixed
commands: integers and strings.
Table B-40 lists the parameters specific to the Traffic ICMP engine.
For More Information
For more information on the parameters common to all signature engines, see Master Engine, page B-4.
Trojan Engines
The Trojan engines analyze nonstandard protocols, such as BO2K and TFN2K. There are three Trojan
engines: Trojan BO2K, TrojanTFN2K, and Trojan UDP.
BO was the original Windows back door Trojan that ran over UDP only. It was soon superseded by
BO2K. BO2K supported UDP and TCP both with basic XOR encryption. They have plain BO headers
that have certain cross-packet characteristics.
BO2K also has a stealthy TCP module that was designed to encrypt the BO header and make the
cross-packet patterns nearly unrecognizable. The UDP modes of BO and BO2K are handled by the
Trojan UDP engine. The TCP modes are handled by the Trojan BO2K engine.
Note There are no specific parameters to the Trojan engines, except for swap-attacker-victim in the Trojan
UDP engine.
For More Information
For more information on the parameters common to all signature engines, see Master Engine, page B-4.
Table B-40 Traffic ICMP Engine Parameters
Parameter Description Value
parameter-tunable-sig Specifies the whether this signature has
configurable parameters.
yes | no
inspection-type Specifies the type of inspection to perform:
Inspects for original LOKI traffic
Inspects for modified LOKI traffic
is-loki
is-mod-lok
reply-ratio Specifies the imbalance of replies to requests. The
alert fires when there are this many more replies
than requests.
0 to 65535
want-request Requires an ECHO REQUEST be seen before firing
the alert.
true | false
 previous next