B-17
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Appendix B Signature Engines
SERVICE Engines
Overview
The H225 engine analyzes H225.0 protocol, which consists of many subprotocols and is part of the
H.323 suite. H.323 is a collection of protocols and other standards that together enable conferencing over
packet-based networks.
H.225.0 call signaling and status messages are part of the H.323 call setup. Various H.323 entities in a
network, such as the gatekeeper and endpoint terminals, run implementations of the H.225.0 protocol
stack. The H225 engine analyzes H225.0 protocol for attacks on multiple H.323 gatekeepers, VoIP
gateways, and endpoint terminals
.
It provides deep packet inspection for call signaling messages that are
exchanged over TCP PDUs. The H225 engine analyzes the H.225.0 protocol for invalid H.255.0
messages, and misuse and overflow attacks on various protocol fields in these messages.
H.225.0 call signaling messages are based on Q.931 protocol. The calling endpoint sends a Q.931 setup
message to the endpoint that it wants to call, the address of which it procures from the admissions
procedure or some lookup means. The called endpoint either accepts the connection by transmitting a
Q.931 connect message or rejects the connection. When the H.225.0 connection is established, either the
caller or the called endpoint provides an H.245 address, which is used to establish the control protocol
(H.245) channel.
Especially important is the SETUP call signaling message because this is the first message exchanged
between H.323 entities as part of the call setup. The SETUP message uses many of the commonly found
fields in the call signaling messages, and implementations that are exposed to probable attacks will
mostly also fail the security checks for the SETUP messages. Therefore, it is highly important to check
the H.225.0 SETUP message for validity and enforce checks on the perimeter of the network.
The H225 engine has built-in signatures for TPKT validation, Q.931 protocol validation, and ASN.1PER
validations for the H225 SETUP message. ASN.1 is a notation for describing data structures. PER uses
a different style of encoding. It specializes the encoding based on the data type to generate much more
compact representations.
You can tune the Q.931 and TPKT length signatures and you can add and apply granular signatures on
specific H.225 protocol fields and apply multiple pattern search signatures of a single field in Q.931 or
H.225 protocol.
The H225 engine supports the following features:
•
TPKT validation and length check
•
Q.931 information element validation
•
Regular expression signatures on text fields in Q.931 information elements
•
Length checking on Q.931 information elements
•
SETUP message validation
•
ASN.1 PER encode error checks
•
Configuration signatures for fields like ULR-ID, E-mail-ID, h323-id, and so forth for both regular
expression and length.
There is a fixed number of TPKT and ASN.1 signatures. You cannot create custom signatures for these
types. For TPKT signatures, you should only change the value-range for length signatures. You should
not change any parameters for ASN.1. For Q.931 signatures, you can add new regular expression
signatures for text fields. for SETUP signatures, you can add signatures for length and regular expression
checks on various SETUP message fields.
SERVICE.H255 Engine Parameters
Table B-14 on page B-18
lists parameters specific to the SERVICE.H225 engine.