Creating signatures in CSM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2015 04:11 AM - edited 03-10-2019 06:20 AM
All,
I am trying teach myself how to write simple signatures and was wondering if anyone could give me some advice. Specifically, I am trying to create a signature that will hit on any DNS queries asking for anything other than a few dot extensions (i.e. anything other than .edu, gov, etc). I am looking at different regular expressions but struggling finding the correct logic of multiple negations. Has anyone tried to do something similar, any advice?
Thanks,
- Labels:
-
IPS and IDS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2015 07:41 AM
Hello,
There is a guide that might be of some help to you for writing custom signatures it can be found at:
http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs.html
If you continue to have questions you can email ipssig-customer-request to get some guidance on writing your custom signature. Include a complete description of what you are trying to fire on and not fire on, a good traffic sample. Please note the signature you are trying to write will probably fire a lot and may cause performance degradations or may false positive.
