A recent student question in an Implementing Cisco Intrusion Prevention Systems class prompted me to write this article. I would paraphrase that question: “How can I configure a signature to look for a defined sequence of characters at a fixed depth within the packet?”
The basis for the query was a very legitimate concern for possible packet-based process control exploits which could dangerously compromise an industrial facility. Two primary platforms will be examined here, the Cisco IPS sensor as well as the Cisco IOS router.
Functionality for fixed-offset inspection has been present on the Cisco IDS/IPS systems for some time now. As the following screenshot illustrates, the String TCP signature engine allows for not only an exact offset in bytes beyond the TCP header to be specified, it also includes the capability to specify a search range. This latter capability would be implemented by answering “Yes” to both the Max and Min fields and specifying values.
A more robust and comprehensive implementation of this feature was introduced in IPS software 6.1(1) with the addition of the Fixed Depth All Ports engine. As the reference cited below indicates, this new engine allows for Custom Signatures where ALL TCP, UDP or ICMP traffic, regardless of port numbers or types can be scanned for matched strings. Instead of the Service Ports field shown above, the descriptor is entitled Specify Service Ports. If this field is set to “Yes”, then only the list of service ports specified is examined at the fixed offset.
The Cisco IOS router introduced Flexible Packet Matching (FPM) more than five years ago as a mechanism to enhance the implementation of access-lists to examine a packet for an exact string match at a defined depth beyond the IP header. Unlike the IPS implementation where the “knowledge” of the packet is built-in, the router requires statements in the configuration on the order of the following:
load protocol <device>:<L3/L4 prot>.phdf match start <l2-start | l3-start> offset # size # eq 0x…
The router requires that the Packet Header Definition Files (.phdf) be loaded in, followed by an exact declaration of whether or not the search will start at the beginning of the Ethernet frame or the IP header, the exact offset, size of the string to be matched, and finally the string declaration in hexadecimal.
Interestingly enough, the ASA security appliance does not have an analogous feature to FPM; however, with the addition of the IPS module the network administrator has all of the fixed offset options available outlined above.
Author: Doug McKillip