B-44
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
AppendixB Signature Engines
Service Engines
Service H225 Engine
The Service H225 engine analyzes H225.0 protocol, which consists of m any subprotocols and is part of
the H.323 suite. H.323 is a collection of protocols and other standards that together enable conferencing
over packet-based networks.
H.225.0 call signaling and status messages are part of the H.323 call setup. Various H.323 entities in a
network, such as the gatekeeper and endpoint terminals, run implementations of the H.225 .0 protocol
stack. The Service H225 engine analyzes H225.0 protocol for attacks on multiple H.323 gatekeepers,
VoIP gateways, and endpoint terminals. It provides deep packet inspection for call signaling messages
that are exchanged over TCP PDUs. The Service H225 engine analyzes the H.225.0 protocol for invalid
H.255.0 messages, and misuse and overflow attacks on various protocol fields in these messages.
H.225.0 call signaling messages are based on Q.931 protocol. The calling endpoint sends a Q.931 setup
message to the endpoint that it wants to call, the address of which it p rocures from the admissions
procedure or some lookup means. The called endpoint eith er accepts the connection by transmitting a
Q.931 connect message or rejects the connection. When the H.225.0 connection is established, either the
caller or the called endpoint provides an H.245 addre ss, which is used to establish the control protocol
(H.245) channel.
Especially important is the SETUP call signaling message because this is the first message exchanged
between H.323 entities as part of the call setup. The SETUP message uses many of the commonly found
fields in the call signaling messages, and implementations that are exposed to probable attacks will
mostly also fail the security checks fo r the SETUP messages. Therefore, it is highly important to check
the H.225.0 SETUP message for validity and enforce checks on the perimeter of the network.
The Service H225 engine has built-in signatures for TPKT validation, Q.9 31 protocol validation, and
ASN.1PER validations for the H225 SETUP message. ASN.1 is a notatio n for describing data structures.
PER uses a different style of encoding. It specializes the encoding based on the data type to generate
much more compact representations.
You can tune the Q.931 and TPKT length signatures and you can add and apply granular signatures on
specific H.225 protocol fields and apply multiple pattern search signatures of a single field in Q.931 or
H.225 protocol.
The Service H225 engine supports the following features:
TPKT validation and length check
Q.931 information element validation
Regular expression signatures on text fields in Q.931 information elements
Length checking on Q.931 information elements
SETUP message validation
ASN.1 PER encode error checks
Configuration signatures for fields like ULR-ID, E-mail-ID, h323-id, and so forth for both regular
expression and length.
There is a fixed number of TPKT and ASN.1 signatures. You cannot create custom signatures for these
types. For TPKT signatures, you should only change the value-range for length signatures. You should
not change any parameters for ASN.1. For Q.931 signatures, you can add new regular expression
signatures for text fields. For SETUP signatures, you can add signatures for length and regular
expression checks on various SETUP message fields.