Cisco IOS IPS Supported Signature List in 4.x Signature Format [Secure Intrusion Prevention System]

Overview

Cisco Systems® releases IOS intrusion prevention system (IPS) signatures in the form of "S-files", which are lists of signatures and their characteristics. Cisco S-files contain signatures for all Cisco IPS platforms: Cisco IPS 42xx sensors, Cisco ASA 55xx appliances, intrusion detection system (IDS) modules for Cisco Catalyst® 6500 Series switches, and Cisco IOS® IPS. As Cisco creates new signatures, it updates the S-files and increments the file name (e.g. S294 as of August 2007). Cisco IOS IPS supports most, but not all, of the signatures in the S-files. This is because the other platforms (e.g. 42xx sensors) support additional "IPS inspection engines" that Cisco IOS IPS currently does not. Future Cisco IOS IPS releases may add support for these inspection engines.

The total number of signatures supported by Cisco IOS IPS routers depends on the Cisco IOS Software release and the signature distribution package version.

In Cisco IOS Software Release 12.3(14)T, Cisco IOS IPS added support for three STRING engines-STRING.TCP, STRING.UDP, and STRING.ICMP. Adding these engines resulted in a large number of new signatures being supported on Cisco IOS IPS routers. As of signature package IOS-S294.zip, the total number of signatures supported by Cisco IOS Software Release 12.3(14)T or later is 1700 (out of a total of 2011 signatures in the S294 file). Because of this and other IPS enhancements, Cisco recommends running Cisco IOS Software Release 12.4(4)T or later when using Cisco IOS IPS.

The following table lists all signatures supported in the IOS-S294.zip signature file, as of Cisco IOS Software Release 12.3(14)T or later. The list is sorted by signature ID. The signature name and signature engine information are also listed.

To download Cisco IOS IPS signature distribution packages, visit http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup.

Feature History of Cisco IOS IPS

Cisco IOS Software Release	Modification
12.4(6)T	Session setup rate performance improvements
12.4(3a)/12.4(4)T	STRING engine memory optimization
12.4(4)T	MULTI-STRING engine support Trend Labs and Cisco Incident Control System (ICS); performance improvement; Distributed Threat Mitigation (DTM)
12.4(2)T	Layer 2 Transparent IPS support
12.3(14)T	Support for three string engines (STRING.TCP, STRING.UDP, and STRING.ICMP)
12.3(8)T	Support for Security Device Event Exchange (SDEE) protocol and for ATOMIC.IP, ATOMIC.ICMP, ATOMIC.IPOPTIONS, ATOMIC.UDP, ATOMIC.TCP, SERVICE.DNS, SERVICE.RPC, SERVICE.SMTP, SERVICE.HTTP, SERVICE.FTP, and OTHER engines

Reference:

• 12.3T New Features http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/index.htm

• 12.4T New Features http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/index.htm

• 12.6T New Features http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t6/index.htm

IOS-S294 Supported Full Signature List

The following table lists all signatures supported in Cisco IOS Software Release 12.3(14)T or later as of IOS-S294.zip file. Signatures are sorted by Signature ID. Signature name and signature engine information are also listed.

Signature ID	Signature Name	Engine
1000-0	BAD IP OPTION	ATOMIC.IPOPTIONS
1001-0	Record Packet Rte	ATOMIC.IPOPTIONS
1002-0	Timestamp	ATOMIC.IPOPTIONS
1003-0	Provide s,c,h,tcc	ATOMIC.IPOPTIONS
1004-0	Loose Src Rte	ATOMIC.IPOPTIONS
1005-0	SATNET ID	ATOMIC.IPOPTIONS
1006-0	Strict Src Rte	ATOMIC.IPOPTIONS
1007-0	IPv6 over IPv4	ATOMIC.L3.IP
1101-0	Unknown IP Proto	ATOMIC.L3.IP
1102-0	Impossible IP packet	ATOMIC.L3.IP
1104-0	IP Localhost Source Spoof	ATOMIC.L3.IP
1107-0	RFC1918 address	ATOMIC.L3.IP
1108-0	IP Packet with Proto 11	ATOMIC.L3.IP
1109-0	Cisco IOS Interface DoS	ATOMIC.L3.IP
1109-1	Cisco IOS Interface DoS	ATOMIC.L3.IP
1109-2	Cisco IOS Interface DoS	ATOMIC.L3.IP
1109-3	Cisco IOS Interface DoS	ATOMIC.L3.IP
1201-0	Frag Overlap	OTHER
1202-0	DGram too long	OTHER
1203-0	Frag Overwrite	OTHER
1204-0	No Initial Frag	OTHER
1205-0	Too Many Dgrams	OTHER
1206-0	Frag Too Small	OTHER
1207-0	Too Many Frags	OTHER
1208-0	Incomplete DGram	OTHER
2000-0	ICMP Echo Rply	ATOMIC.ICMP
2001-0	ICMP Host Unreachable	ATOMIC.ICMP
2001-1	ICMP Host Unreachable	ATOMIC.ICMP
2002-0	ICMP Src Quench	ATOMIC.ICMP
2003-0	ICMP Redirect	ATOMIC.ICMP
2004-0	ICMP Echo Req	ATOMIC.ICMP
2005-0	ICMP Time Exceed	ATOMIC.ICMP
2006-0	ICMP Param Prob	ATOMIC.ICMP
2007-0	ICMP Time Req	ATOMIC.ICMP
2008-0	ICMP Time Rply	ATOMIC.ICMP
2009-0	ICMP Info Req	ATOMIC.ICMP
2010-0	ICMP Info Rply	ATOMIC.ICMP
2011-0	ICMP Addr Msk Req	ATOMIC.ICMP
2012-0	ICMP Addr Msk Rply	ATOMIC.ICMP
2150-0	Fragmented ICMP	ATOMIC.ICMP
2151-0	Large ICMP	ATOMIC.L3.IP
2154-0	Ping Of Death	ATOMIC.L3.IP
2155-0	Modem DoS	STRING.ICMP
2156-0	Nachi Worm ICMP Echo Request	STRING.ICMP
2157-0	ICMP Hard Error DoS	ATOMIC.ICMP
2157-1	ICMP Hard Error DoS	ATOMIC.ICMP
2157-2	ICMP Hard Error DoS	ATOMIC.ICMP
2201-0	IGMP over fragmented IP	ATOMIC.L3.IP
2202-0	IGMP Invalid Packet DoS	ATOMIC.L3.IP
3038-0	TCP FRAG NULL Packet	ATOMIC.TCP
3039-0	TCP FRAG FIN Packet	ATOMIC.TCP
3040-0	TCP NULL Packet	ATOMIC.TCP
3041-0	TCP SYN/FIN Packet	ATOMIC.TCP
3042-0	TCP FIN Packet	ATOMIC.TCP
3043-0	TCP FRAG SYN/FIN Packet	ATOMIC.TCP
3050-0	Half-open Syn	OTHER
3051-0	TCP Connection Window Size DoS	ATOMIC.TCP
3051-1	TCP Connection Window Size DoS	ATOMIC.TCP
3100-0	SMTP RCPT TO	Bounce
3101-0	SMTP To	Bounce
3102-0	SMTP Invalid Sender	SERVICE.SMTP
3103-0	SMTP (EXPN or VRFY)	SERVICE.SMTP
3103-1	SMTP (EXPN or VRFY)	SERVICE.SMTP
3104-0	SMTP Archaic	SERVICE.SMTP
3104-1	SMTP Archaic	SERVICE.SMTP
3105-0	SMTP Decode	SERVICE.SMTP
3106-0	SMTP RCPT TO
3107-0	SMTP Majordomo Attack	SERVICE.SMTP
3108-0	SMTP MIME Content Overflow	SERVICE.SMTP
3109-0	Long SMTP Command	SERVICE.SMTP
3109-1	Long SMTP Command	SERVICE.SMTP
3110-0	SMTP Suspicious Attachment	SERVICE.SMTP
3111-0	W32 Sircam Malicious Code	STRING.TCP
3111-1	W32 Sircam Malicious Code	STRING.TCP
3112-0	Lotus Notes Mail Loop DoS	SERVICE.SMTP
3113-0	Email Attachment with Malicious Payload	STRING.TCP
3113-1	Email Attachment with Malicious Payload	STRING.TCP
3114-0	Fetchmail Arbitrary Code Execution	STRING.TCP
3115-0	Sendmail Data Header Overflow	SERVICE.SMTP
3115-3	Sendmail Data Header Overflow	SERVICE.SMTP
3116-0	NetBus	STRING.TCP
3117-0	KLEZ worm	STRING.TCP
3117-1	KLEZ worm	STRING.TCP
3118-0	rwhoisd format string	STRING.TCP
3119-0	WS_FTP STAT overflow	STRING.TCP
3120-0	ANTS Virus	STRING.TCP
3120-1	ANTS Virus	STRING.TCP
3121-0	Vintra MailServer EXPN DoS	STRING.TCP
3122-0	SMTP EXPN root Recon	STRING.TCP
3123-0	NetBus Pro Traffic	ATOMIC.TCP
3124-0	Sendmail prescan Memory Corruption	SERVICE.SMTP
3125-0	Postfix 1.1.12 envelope address DoS	SERVICE.SMTP
3126-0	Postfix bounce scan	SERVICE.SMTP
3127-0	SMTP AUTH Brute Force Attempt	SERVICE.SMTP
3128-1	Exchange xexch50 overflow	STRING.TCP
3129-0	Mimail Virus C Variant File Attachment	SERVICE.SMTP
3130-0	Mimail Virus I Variant File Attachment	STRING.TCP
3131-0	Mimail Virus L Variant File Attachment	STRING.TCP
3132-0	Novarg / Mydoom Virus Mail Attachment	STRING.TCP
3132-1	Novarg / Mydoom Virus Mail Attachment	STRING.TCP
3133-0	Novarg / Mydoom Virus Mail Attachment Variant B	STRING.TCP
3133-1	Novarg / Mydoom Virus Mail Attachment Variant B	STRING.TCP
3135-0	MyDoom Virus Activity	STRING.TCP
3135-1	MyDoom Virus Activity	STRING.TCP
3135-2	MyDoom Virus Activity	STRING.TCP
3135-3	MyDoom Virus Activity	STRING.TCP
3135-4	MyDoom Virus Activity	STRING.TCP
3135-5	MyDoom Virus Activity	STRING.TCP
3135-6	MyDoom Virus Activity	STRING.TCP
3135-7	MyDoom Virus Activity	STRING.TCP
3136-0	Netsky Virus Activity	STRING.TCP
3136-1	Netsky Virus Activity	STRING.TCP
3136-2	Netsky Virus Activity	STRING.TCP
3136-3	Netsky Virus Activity	STRING.TCP
3136-4	Netsky Virus Activity	STRING.TCP
3136-5	Netsky Virus Activity	STRING.TCP
3136-6	Netsky Virus Activity	STRING.TCP
3136-7	Netsky Virus Activity

Hierarchical Navigation

Secure Intrusion Prevention System

Cisco IOS IPS Supported Signature List in 4.x Signature Format

Downloads