https://community.cisco.com/t5/network-security/ids-new-signature/m-p/318311#M96815 <P>can i create new signature by the total of bytes if yes how i can make it .</P><P></P><P>BR</P><P>RAM</P> Sun, 10 Mar 2019 09:20:01 GMT paltel 2019-03-10T09:20:01Z https://community.cisco.com/t5/network-security/ids-new-signature/m-p/318311#M96815 <P>can i create new signature by the total of bytes if yes how i can make it .</P><P></P><P>BR</P><P>RAM</P> Sun, 10 Mar 2019 09:20:01 GMT https://community.cisco.com/t5/network-security/ids-new-signature/m-p/318311#M96815 paltel 2019-03-10T09:20:01Z https://community.cisco.com/t5/network-security/ids-new-signature/m-p/318312#M96816 <HTML><HEAD></HEAD><BODY><P>Without some further detail of what it is you're trying to write a signature for, I don't think anyone can answer your question, per se.</P><P></P><P>I can't think of any signature engine that alarms based on total number of bytes within a given transport protocol (or even ICMP, just in case you're looking at that) by itself.</P><P></P><P>I know you can use a byte mask to indicate where your signature will actually start working (for example, TCP Stream signature where you look for a particular regular expression after 400 bytes of data have been seen), but the number of bytes itself won't set off an alarm.</P><P></P><P>Of course, I'm not including DoS scenarios like Ping of Death and Teardrop where specific signatures have already been provided, but I'm just saying this for completeness...</P><P></P><P>Care to expand on your intent?</P><P></P><P>Alex Arndt</P></BODY></HTML> Thu, 17 Mar 2005 14:16:37 GMT https://community.cisco.com/t5/network-security/ids-new-signature/m-p/318312#M96816 a.arndt 2005-03-17T14:16:37Z