Trojan Engines - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

TROJAN Engines

Table B-29
Parameter
reply-ratio
want-request
TROJAN Engines
The TROJAN engines analyze nonstandard protocols, such as BO2K andTFN2K. There are three
TROJAN engines: TROJAN.BO2K, TROJAN.TFN2K, and TROJAN.UDP.
BackOrifice (BO) was the original Windows back door Trojan that ran over UDP only. It was soon
superseded by BackOrifice 2000 (BO2K). BO2K supported UDP and TCP both with basic XOR
encryption. They have plain BO headers that have certain cross-packet characteristics.
BO2K also has a stealthy TCP module that was designed to encrypt the BO header and make the
cross-packet patterns nearly unrecognizable.
The UDP modes of BO and BO2K are handled by the TROJAN.UDP engine. The TCP modes are
handled by the TROJAN.BO2K engine.
There are no specific parameters to the TROJAN engines, except for swap-attacker-victim in the
TROJAN.UDP engine.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
B-34
TRAFFIC.ICMP Engine Parameters (continued)
Description
Inbalance of replies to requests. The alert fires when
there are this many more replies than requests.
Requires an ECHO REQUEST be seen before firing the
alert.
Appendix B Signature Engines
Value
0 to 65535
true | false
78-16527-01