[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Attack Properties—Signature Attacks
Signature attack objects use a stateful attack signature (a
pattern that always exists within a specific section of the attack)
to detect known attacks. They also include the protocol or service
used to perpetrate the attack and the context in which the attack
occurs. The following properties are specific to signature attacks,
and you can configure them when configuring signature attack:
 |
Note:
Attack context, flow type, and direction are mandatory fields
for the signature attack definition.
|
Attack Context
An attack context defines the location of the signature. If
you know the service and the specific service context, specify that
service and then specify the appropriate service contexts. If you
know the service, but are unsure of the specific service context,
specify one of the following general contexts:
-
first-data-packet—Specify this context
to detect the attack in only the first data packet.
-
first-packet—Specify this context to detect
the attack in only the first packet of a stream. When the flow direction
for the attack object is set to any, the device checks the
first packet of both the server-to-client and the client-to-server
flows. If you know that the attack signature appears in the first
packet of a session, choosing first packet instead of packet reduces the amount of traffic the device needs to monitor,
which improves performance.
-
packet—Specify this context to match the
attack pattern within a packet. When you select this option, you must
also specify the service binding to define the service header options
. Although not required, specifying these additional parameters improves
the accuracy of the attack object and thereby improves performance.
-
line—Specify this context to detect a pattern
match within a specific line within your network traffic.
-
normalized-stream—Specify this context
to detect the attack in an entire normalized stream. The normalized
stream is one of the multiple ways of sending information. In this
stream the information in the packet is normalized before a match
is performed. Suppose www.yahoo.com/sports is the same as www.yahoo.com/s%70orts. The normalized form to represent both
of these URLs might be www.yahoo.com/sports. Choose normalized
stream instead of stream, unless you want to detect
some pattern in its exact form. For example, if you want to detect
the exact pattern www.yahoo.com/s%70orts, then select stream.
-
normalized-stream256—Specify this context
to detect the attack in only the first 256 bytes of a normalized stream.
-
normalized-stream1k—Specify this context
to detect the attack in only the first 1024 bytes of a normalized
stream.
-
normalized-stream-8k—Specify this context
to detect the attack in only the first 8192 bytes of a normalized
stream.
-
stream—Specify this context to reassemble
packets and extract the data to search for a pattern match. However,
the device cannot recognize packet boundaries for stream contexts,
so data for multiple packets is combined. Specify this option only
when no other context option contains the attack.
-
stream256—Specify this context to reassemble
packets and search for a pattern match within the first 256 bytes
of a traffic stream. When the flow direction is set to any, the device checks the first 256 bytes of both the server-to-client
and client-to-server flows. If you know that the attack signature
will appear in the first 256 bytes of a session, choosing stream256 instead of stream reduces the amount of traffic that the
device must monitor and cache, thereby improving performance.
-
stream1k—Specify this context to reassemble
packets and search for a pattern match within the first 1024 bytes
of a traffic stream. When the flow direction is set to any, the device checks the first 1024 bytes of both the server-to-client
and client-to-server flows. If you know that the attack signature
will appear in the first 1024 bytes of a session, choosing stream1024 instead of stream reduces the amount of traffic that the
device must monitor and cache, thereby improving performance.
-
stream8k—Specify this context to reassemble
packets and search for a pattern match within the first 8192 bytes
of a traffic stream. When the flow direction is set to any, the device checks the first 8192 bytes of both the server-to-client
and client-to-server flows. If you know that the attack signature
will appear in the first 8192 bytes of a session, choosing stream8192 instead of stream reduces the amount of traffic that the
device must monitor and cache, thereby improving performance.
Attack Direction
You can specify the connection direction of the attack. Using
a single direction (instead of Any) improves performance,
reduces false positives, and increases detection accuracy.
- Client to server (detects the attack only in client-to-server
traffic)
- Server to client (detects the attack only in server-to-client
traffic)
- Any (detects the attack in either direction)
Attack Pattern
Attack patterns are signatures of the attacks you want to detect.
A signature is a pattern that always exists within an attack; if the
attack is present, so is the signature. To create the attack pattern,
you must first analyze the attack to detect a pattern (such as a segment
of code, a URL, or a value in a packet header), then create a syntactical
expression that represents that pattern. You can also negate a pattern.
Negating a pattern means that the attack is considered matched if
the pattern defined in the attack does not match
the specified pattern.
|
Note:
Pattern negation is supported for packet, line, and application
based contexts only and not for stream and normalized stream contexts.
|
Protocol-Specific Parameters
Specifies certain values and options existing within packet
headers. These parameters are different for different protocols. In
a custom attack definition, you can specify fields for only one of
the following protocols—TCP, UDP, or ICMP. Although, you can
define IP protocol fields with TCP or UDP in a custom attack definition.
|
Note:
Header parameters can be defined only for attack objects that
use a packet or first packet context. If you specified a line, stream,
stream 256, or a service context you cannot specify header parameters.
|
If you are unsure of the options or flag settings for the malicious
packet, leave all fields blank and IDP attempts to match the signature
for all header contents.
Table 102 displays fields
and flags that you can set for attacks that use the IP protocol.
Table 102: IP Protocol Fields and Flags
|
Field
|
Description
|
|
Type of Service
|
Specify a value for the service type. Common service types are:
- 0000 Default
- 0001 Minimize Cost
- 0002 Maximize Reliability
- 0003 Maximize Throughput
- 0004 Minimize Delay
- 0005 Maximize Security
|
|
Total Length
|
Specify a value for the number of bytes in the packet, including
all header fields and the data payload.
|
|
ID
|
Specify a value for the unique value used by the destination
system to reassemble a fragmented packet.
|
|
Time to Live
|
Specify an integer value in the range of 0–255 for the
time-to-live (TTL) value of the packet. This value represents the
number of devices the packet can traverse. Each router that processes
the packet decrements the TTL by 1; when the TTL reaches
0, the packet is discarded.
|
|
Protocol
|
Specify a value for the protocol used.
|
|
Source
|
Enter the source address of the attacking device.
|
|
Destination
|
Enter the destination address of the attack target.
|
|
Reserved Bit
|
This bit is not used.
|
|
More Fragments
|
When set (1), this option indicates that the packet
contains more fragments. When unset (0), it indicates that
no more fragments remain.
|
|
Don’t Fragment
|
When set (1), this option indicates that the packet
cannot be fragmented for transmission.
|
Table 103 displays packet
header fields and flags that you can set for attacks that use the
TCP protocol.
Table 103: TCP Header Fields and Flags
|
Field
|
Description
|
|
Source Port
|
Specify a value for the port number on the attacking device.
|
|
Destination Port
|
Specify a value for the port number of the attack target.
|
|
Sequence Number
|
Specify a value for the sequence number of the packet. This
number identifies the location of the data in relation to the entire
data sequence.
|
|
ACK Number
|
Specify a value for the ACK number of the packet. This number
identifies the next sequence number; the ACK flag must be set to activate
this field.
|
|
Header Length
|
Specify a value for the number of bytes in the TCP header.
|
|
Data Length
|
Specify a value for the number of bytes in the data payload.
For SYN, ACK, and FIN packets, this field should be empty.
|
|
Window Size
|
Specify a value for the number of bytes in the TCP window size.
|
|
Urgent Pointer
|
Specify a value for the urgent pointer. The value indicates
that the data in the packet is urgent; the URG flag must be set to
activate this field.
|
|
URG
|
When set, the urgent flag indicates that the packet data is
urgent.
|
|
ACK
|
When set, the acknowledgment flag acknowledges receipt of a
packet.
|
|
PSH
|
When set, the push flag indicates that the receiver should push
all data in the current sequence to the destination application (identified
by the port number) without waiting for the remaining packets in the
sequence.
|
|
RST
|
When set, the reset flag resets the TCP connection, discarding
all packets in an existing sequence.
|
|
SYN
|
When set, the SYN flag indicates a request for a new session.
|
|
FIN
|
When set, the final flag indicates that the packet transfer
is complete and the connection can be closed.
|
|
R1
|
This reserved bit (1 of 2) is not used.
|
|
R2
|
This reserved bit (2 of 2) is not used.
|
Table 104 displays packet
header fields and flags that you can set for attacks that use the
UDP protocol.
Table 104: UDP Header Fields and Flags
|
Field
|
Description
|
|
Source Port
|
Specify a value for the port number on the attacking device.
|
|
Destination Port
|
Specify a value for the port number of the attack target.
|
|
Data Length
|
Specify a value for the number of bytes in the data payload.
|
Table 105 displays packet
header fields and flags that you can set for attacks that use the
ICMP protocol.
Table 105: ICMP Header Fields and Flags
|
Field
|
Description
|
|
ICMP Type
|
Specify a value for the primary code that identifies the function
of the request or reply packet.
|
|
ICMP Code
|
Specify a value for the secondary code that identifies the function
of the request or reply packet within a given type.
|
|
Sequence Number
|
Specify a value for the sequence number of the packet. This
number identifies the location of the request or reply packet in relation
to the entire sequence.
|
|
ICMP ID
|
Specify a value for the identification number. The identification
number is a unique value used by the destination system to associate
request and reply packets.
|
|
Data Length
|
Specify a value for the number of bytes in the data payload.
|
Sample Signature Attack Definition
The following is a sample signature attack definition:
<Entry>
<Name>sample-sig</Name>
<Severity>Major</Severity>
<Attacks><Attack>
<TimeBinding><Count>2</Count>
<Scope>dst</Scope></TimeBinding>
<Application>FTP</Application>
<Type>signature</Type>
<Context>packet</Context>
<Negate>true</Negate>
<Flow>Control</Flow>
<Direction>any</Direction>
<Headers><Protocol><Name>ip</Name>
<Field><Name>ttl</Name>
<Match>==</Match><Value>128</Value></Field>
</Protocol><Name>tcp</Name>
<Field><Name><Match><</Match>
<value>1500</Value>
</Field></Protocol></Headers>
</Attack></Attacks>
</Entry>
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
