Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Intrusion Prevention System (IPS)

Cisco IOS IPS Supported Signature List in 5.x Signature Format

Downloads

Overview

In Cisco IOS Software Release 12.4(11)T and later release, Cisco IOS IPS supports 5.x signature format. Cisco posts signature package in 5.x signature format at the following location http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup.
With the support of 5.x signature format, IOS IPS supports NDA (encrypted) signatures that are not supported by signature format 4.x. This document provides a list of signatures that are supported by IOS IPS in 12.4(11)T and later releases.

Feature History of Cisco IOS IPS

Cisco IOS Software Release

Modification

12.4(15)T

Native support for Microsoft SMB and MSRPC protocol signatures

12.4(11)T

Support for:

• Encrypted signatures
• Risk Rating value in IPS alarms
• Signature Event Action Processor (SEAP)
• Cisco IPS version 5.x signature format
• IDCONF based configuration: Available only with 12.4(11)T2 or later
• Automatic signature package downloads from a local server

12.4(3a)/12.4(4)T

STRING engine memory optimization

12.4(4)T

MULTI-STRING engine support Trend Labs and Cisco Incident Control System (ICS); performance improvement; Distributed Threat Mitigation (DTM)

12.4(2)T

Layer 2 Transparent IPS support

12.3(14)T

Support for three string engines (STRING.TCP, STRING.UDP, and STRING.ICMP)

12.3(8)T

Support for Security Device Event Exchange (SDEE) protocol and for ATOMIC.IP, ATOMIC.ICMP, ATOMIC.IPOPTIONS, ATOMIC.UDP, ATOMIC.TCP, SERVICE.DNS, SERVICE.RPC, SERVICE.SMTP, SERVICE.HTTP, SERVICE.FTP, and OTHER engines

Reference:

• 12.4T New Features: http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/index.htm

• IOS-S294-CLI.pkg Supported Signature List

The following table lists all signatures supported in Cisco IOS Software Release 12.4(11)T or later release as of IOS-S294-CLI.pkg file. Signatures are sorted by Signature ID. Signature name and signature engine information are also listed.

Signature ID

Signature Name

Signature Engine

1000-0

IP options-Bad Option List

atomic-ip

1001-0

IP options-Record Packet Route

atomic-ip

1002-0

IP options-Timestamp

atomic-ip

1003-0

IP options-Provide s,c,h,tcc

atomic-ip

1004-0

IP options-Loose Source Route

atomic-ip

1005-0

IP options-SATNET ID

atomic-ip

1006-0

IP options-Strict Source Route

atomic-ip

1007-0

IPv6 over IPv4

atomic-ip

1101-0

Unknown IP Protocol

atomic-ip

1102-0

Impossible IP Packet

atomic-ip

1104-0

IP Localhost Source Spoof

atomic-ip

1107-0

RFC 1918 Addresses Seen

atomic-ip

1108-0

IP Packet with Proto 11

atomic-ip

1109-0

Cisco IOS Interface DoS

atomic-ip

1109-1

Cisco IOS Interface DoS

atomic-ip

1109-2

Cisco IOS Interface DoS

atomic-ip

1109-3

Cisco IOS Interface DoS

atomic-ip

1201-0

IP Fragment Overlap

normalizer

1202-0

IP Fragment Overrun - Datagram Too Long

normalizer

1203-0

IP Fragment Overwrite - Data is Overwritten

normalizer

1204-0

IP Fragment Missing Initial Fragment

normalizer

1205-0

IP Fragment Too Many Datagrams

normalizer

1206-0

IP Fragment Too Small

normalizer

1207-0

IP Fragment Too Many Fragments in a Datagram

normalizer

1208-0

IP Fragment Incomplete Datagram

normalizer

2000-0

ICMP Echo Reply

atomic-ip

2001-0

ICMP Host Unreachable

atomic-ip

2001-1

ICMP Host Unreachable

atomic-ip

2002-0

ICMP Source Quench

atomic-ip

2003-0

ICMP Redirect

atomic-ip

2004-0

ICMP Echo Request

atomic-ip

2005-0

ICMP Time Exceeded for a Datagram

atomic-ip

2006-0

ICMP Parameter Problem on Datagram

atomic-ip

2007-0

ICMP Timestamp Request

atomic-ip

2008-0

ICMP Timestamp Reply

atomic-ip

2009-0

ICMP Information Request

atomic-ip

2010-0

ICMP Information Reply

atomic-ip

2011-0

ICMP Address Mask Request

atomic-ip

2012-0

ICMP Address Mask Reply

atomic-ip

2150-0

Fragmented ICMP Traffic

atomic-ip

2151-0

Large ICMP Traffic

atomic-ip

2154-0

Ping of Death Attack

atomic-ip

2155-0

Modem DoS

string-icmp

2156-0

Nachi Worm ICMP Echo Request

string-icmp

2157-0

ICMP Hard Error DoS

atomic-ip

2157-1

ICMP Hard Error DoS

atomic-ip

2157-2

ICMP Hard Error DoS

atomic-ip

2158-0

Nachi Worm ICMP Echo Request

atomic-ip

2201-0

IGMP over fragmented IP

atomic-ip

2202-0

IGMP Invalid Packet DoS

atomic-ip

3038-0

Fragmented NULL TCP Packet

atomic-ip

3039-0

Fragmented Orphaned FIN packet

atomic-ip

3040-0

TCP NULL Packet

atomic-ip

3041-0

TCP SYN/FIN Packet

atomic-ip

3042-0

Orphaned Fin Packet

atomic-ip

3043-0

Fragmented SYN/FIN Packet

atomic-ip

3050-0

Half-open SYN Attack

normalizer

3051-0

TCP Connection Window Size RST DoS

atomic-ip

3051-1

TCP Connection Window Size RST DoS

atomic-ip

3100-0

SMTP RCPT TO: Bounce

state

3101-0

Sendmail Invalid Recipient

state

3102-0

Sendmail Invalid Sender

state

3103-0

Sendmail Reconnaissance

state

3103-1

Sendmail Reconnaissance

state

3104-0

Archaic Sendmail Attacks

state

3104-1

Archaic Sendmail Attacks

state

3105-0

Sendmail Decode Alias

state

3106-0

Mail Spam

state

3107-0

Majordomo Execute Attack

state

3108-0

SMTP MIME Content Overflow

state

3109-0

Long SMTP Command

state

3109-1

Long SMTP Command

state

3110-0

Suspicious Mail Attachment

state

3111-0

W32 Sircam Malicious Code

string-tcp

3111-1

W32 Sircam Malicious Code

string-tcp

3112-0

Lotus Domino Mail Loop DoS

state

3113-0

Email Attachment with Malicious Payload

string-tcp

3113-1

Email Attachment with Malicious Payload

string-tcp

3114-0

FetchMail Arbitrary Code Execution

string-tcp

3115-0

Sendmail Data Header Overflow

state

3115-3

Sendmail Data Header Overflow

state

3116-0

Netbus

string-tcp

3117-0

KLEZ Worm

string-tcp

3117-1

KLEZ worm

string-tcp

3118-0

rwhoisd format string

string-tcp

3119-0

WS_FTP STAT Overflow

string-tcp

3120-0

ANTS Virus

string-tcp

3120-1

ANTS Virus

string-tcp

3121-0

Vintra MailServer EXPN DoS

string-tcp

3122-0

SMTP EXPN root Recon

string-tcp

3123-0

NetBus Pro Traffic

atomic-ip

3124-0

Sendmail prescan Memory Corruption

state

3125-0

Postfix 1.1.12 envelope address DoS

state

3126-0

Postfix bounce scan

state

3128-0

Exchange xexch50 overflow

state

3128-1

Exchange xexch50 overflow

string-tcp

3129-0

Mimail Virus C Variant File Attachment

state

3130-0

Mimail Virus I Variant File Attachment

string-tcp

3131-0

Mimail Virus L Variant File Attachment

string-tcp

3132-0

Novarg / Mydoom Virus Mail Attachment

string-tcp

3132-1

Novarg / Mydoom Virus Mail Attachment

string-tcp

3133-0

Novarg / Mydoom Virus Mail Attachment Variant B

string-tcp

3133-1

Novarg / Mydoom Virus Mail Attachment Variant B

string-tcp

3134-0

DoomJuice Worm network probe

string-tcp

3135-0

MyDoom Virus Activity

string-tcp

3135-1

MyDoom Virus Activity

string-tcp

3135-2

MyDoom Virus Activity

string-tcp

3135-3

MyDoom Virus Activity

string-tcp

3135-4

MyDoom Virus Activity

string-tcp

3135-5

MyDoom Virus Activity

string-tcp

3135-6

MyDoom Virus Activity

string-tcp

3135-7

MyDoom Virus Activity

string-tcp

3136-0

Netsky Virus Activity

string-tcp

3136-1

Netsky Virus Activity

string-tcp

3136-2

Netsky Virus Activity

string-tcp

3136-3

Netsky Virus Activity

string-tcp

3136-4