https://community.cisco.com/t5/network-security/help-me-build-a-custom-sig/m-p/648785#M92407 <HTML><HEAD></HEAD><BODY><P>You could just create a string TCP signature similar to 3130-0 that only looks for the filename (on ports 21,25,80). You can 'clone' button to copy an existing sig. That would be pretty generic and may be prone to false positives though.</P><P></P><P>You could also create 3 signatures that are more specific to the protocols you want to inspect (SMTP,HTTP,FTP). Take a look at 3110-0 for how you would do this with the SMTP state engine. See 5326-0 for an HTTP engine example (this detects GET requests only though, not files returned from a POST request). The 3110 example above should work for FTP (port 21).</P></BODY></HTML> Tue, 19 Sep 2006 18:46:47 GMT mhellman 2006-09-19T18:46:47Z https://community.cisco.com/t5/network-security/help-me-build-a-custom-sig/m-p/648783#M92403 <P>Can I build a signature (and if so can you walk me through how) to alert me of any traffic containing "filename.exe"?</P><P></P><P>So that for example if an email was on its way to our mailserver with such a file attached or a user was downloading such a file via FTP or through a link in a web page, I could reset the connection or at least generate an alert indicating the activity was taking place?</P> Sun, 10 Mar 2019 10:13:15 GMT https://community.cisco.com/t5/network-security/help-me-build-a-custom-sig/m-p/648783#M92403 slug420 2019-03-10T10:13:15Z https://community.cisco.com/t5/network-security/help-me-build-a-custom-sig/m-p/648784#M92404 <HTML><HEAD></HEAD><BODY><P>The documentation on creating custom signatures for your reference:</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/clisgdef.htm#wp1042406" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/clisgdef.htm#wp1042406</A></P><P></P></BODY></HTML> Tue, 19 Sep 2006 17:07:58 GMT https://community.cisco.com/t5/network-security/help-me-build-a-custom-sig/m-p/648784#M92404 a-vazquez 2006-09-19T17:07:58Z https://community.cisco.com/t5/network-security/help-me-build-a-custom-sig/m-p/648785#M92407 <HTML><HEAD></HEAD><BODY><P>You could just create a string TCP signature similar to 3130-0 that only looks for the filename (on ports 21,25,80). You can 'clone' button to copy an existing sig. That would be pretty generic and may be prone to false positives though.</P><P></P><P>You could also create 3 signatures that are more specific to the protocols you want to inspect (SMTP,HTTP,FTP). Take a look at 3110-0 for how you would do this with the SMTP state engine. See 5326-0 for an HTTP engine example (this detects GET requests only though, not files returned from a POST request). The 3110 example above should work for FTP (port 21).</P></BODY></HTML> Tue, 19 Sep 2006 18:46:47 GMT https://community.cisco.com/t5/network-security/help-me-build-a-custom-sig/m-p/648785#M92407 mhellman 2006-09-19T18:46:47Z