Traffic Icmp Engine - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Appendix B Signature Engines
Table B-28
Parameter
swap-attacker-victim True if address (and ports) source and destination are
tcp-flags
unique

TRAFFIC ICMP Engine

The TRAFFIC.ICMP engine analyzes nonstandard protocols, such as TFN2K, LOKI, and DDOS. There
are only two signatures (based on the LOKI protocol) with user-configurable parameters.
Tribe Flood Net 2000 (TFN2K) is the newer version of the TFN. It is a Distributed Denial Of Service
(DDoS) agent that is used to control coordinated attacks by infected computers (zombies) to target a
single computer (or domain) with bogus traffic floods from hundreds or thousands of unknown attacking
hosts. TFN2K sends randomized packet header information, but it has two discriminators that can be
used to define signatures. One is whether the L3 checksum is incorrect and the other is whether the
character 64 'A' is found at the end of the payload. TFN2K can run on any port and can communicate
with ICMP, TCP, UDP, or a combination of these protocols.
LOKI is a type of back door Trojan. When the computer is infected, the malicious code creates an "Icmp
Tunnel" that can be used to send small payload in ICMP replies (which may go straight through a firewall
if it is not configured to block ICMP.) The LOKI signatures look for an imbalance of ICMP echo requests
to replies and simple ICMP code and payload discriminators.
The DDoS category (excluding TFN2K) targets ICMP-based DDoS agents. The main tools used here are
TFN (Tribe Flood Net) and Stacheldraht. They are similar in operation to TFN2K, but rely on ICMP only
and have fixed commands: integers and strings.
Table B-29
Table B-29
Parameter
parameter-tunable-sig
inspection-type
78-16527-01
SWEEP Engine Parameters (continued)
Description
swapped in the alert message. False for no swap (default).
TCP flags to match when masked by mask:
URG bit
•
ACK bit
•
PSH bit
•
RST bit
•
SYN bit
•
FIN bit
•
Threshold number of unique port connections between the
two hosts.
lists the parameters specific to the TRAFFIC.ICMP engine.
TRAFFIC.ICMP Engine Parameters
Description
Whether this signature has configurable parameters.
Type of inspection to perform:
Inspects for original LOKI traffic.
•
Inspects for modified LOKI traffic.
•
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
TRAFFIC ICMP Engine
Value
true | false
urg
ack
psh
rst
syn
fin
0 to 65535
Value
yes | no
is-loki
is-mod-loki
B-33