Service.mssql Engine; Service.ntp Engine - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

SERVICE Engines
Table B-17
Parameter
protocol
specify-operation
specify-regex-string
specify-uuid

SERVICE.MSSQL Engine

The SERVICE.MSSQL engine inspects the protocol used by Microsoft's SQL server (MS SQL).
There is one MS SQL signature. It fires an alert when it detects an attempt to log in to an MS SQL server
with the default sa account.
You can add custom signatures based on MS SQL protocol values, such as login username and whether
a password was used.
Table B-18
Table B-18
Parameter
password-present
specify-sql-username

SERVICE.NTP Engine

The SERVICE.NTP engine inspects NTP protocol. There is one NTP signature, the NTPd readvar
overflow signature, which fires an alert if a readvar command is seen with NTP data that is too large for
the NTP service to capture.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
B-22
SERVICE.MSRPC Engine Parameters
Description
Protocol of interest for this inspector.
(Optional) Enables using MS RPC operation:
• operation—MS RPC operation requested. Required for
SMB_COM_TRANSACTION commands. Exact match.
(Optional) Enables using a regular expression string:
specify-exact-match-offset—Enables the exact match
•
offset:
– exact-match-offset—The exact stream offset the
regular expression string must report for a match to be
valid.
specify-min-match-length—Enables the minimum match
•
length:
min-match-length—Minimum number of bytes the
–
regular expression string must match.
(Optional) Enables UUID:
uuid—MS RPC UUID field.
•
lists the parameters specific to the SERVICE.MSSQL engine.
SERVICE.MSSQL Engine Parameters
Description
Whether or not a password was used in an MS SQL login.
(Optional) Enables using an SQL username:
sql-username—Username (exact match) of user logging
•
in to MS SQL service.
Appendix B Signature Engines
Value
tcp
udp
0 to 65535
0 to 65535
000001a0000
00000c00000
0000000046
Value
true | false
sa
78-16527-01