Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 406

SERVICE Engines
•
•
•
SERVICE.DNS Engine
The SERVICE.DNS engine specializes in advanced DNS decode, which includes anti-evasive
techniques, such as following multiple jumps. It has many parameters such as lengths, opcodes, strings,
and so forth. The SERVICE.DNS engine is a biprotocol inspector operating on both TCP and UDP
port 53. It uses the STREAM for TCP and the QUAD for UDP.
Table B-11
Table B-11
Parameter
protocol
specify-query-chaos-string
specify-query-class
specify-query-invalid-domain-name
specify-query-jump-count-exceeded
specify-query-opcode
specify-query-record-data-invalid
specify-query-record-data-len
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
B-14
SERVICE SMB Engine, page B-24
SERVICE.SNMP Engine, page B-26
SERVICE.SSH Engine, page B-27
lists the parameters specific to the SERVICE.DNS engine.
SERVICE.DNS Engine Parameters
Description
Protocol of interest for this inspector.
(Optional) Enables the DNS Query Class
Chaos String.
(Optional) Enables the query class:
• query-class—DNS Query Class 2
Byte Value
(Optional) Enables query invalid domain
name:
query-invalid-domain-name—DNS
•
Query Length greater than 255
(Optional) Enables query jump count
exceeded:
• query-jump-count-exceeded—DNS
compression counter
(Optional) Enables query opcode:
• query-opcode—DNS Query Opcode
1 byte Value
(Optional) Enables query record data
invalid:
• query-record-data-invalid—DNS
Record Data incomplete
(Optional) Enables the query record data
length:
• query-record-data-len—DNS
Response Record Data Length
Appendix B Signature Engines
Value
TCP
UDP
query-chaos-string
0 to 65535
true | false
true | false
0 to 65535
true | false
0 to 65535
78-16527-01