Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
0
Helpful
1
Replies

Custom IPS Signature

lquin1978
Level 1
Level 1

‎02-02-2011 04:48 PM - edited ‎03-10-2019 05:15 AM

Is it possible to write an custom signature to look for a specific response (a field/value within the packet) in replys to packets that have already traversed the IPS.  And if no response was recieved in  x amount of seconds an alarm would fire.

Labels:
0 Helpful
1 Reply 1

Christopher Dreier
Level 3
Level 3

‎02-03-2011 07:51 PM

Hello lquin1978,

Signatures normally fire on the presence of data rather than the absence of data. That said, can you provide more detail about what you are trying to accomplish? What L4 protocol are you working with? Are the fields you'd like to match in the header or the payload? Can you provide a packet capture of the traffic scenario in which you would not like the IPS to event, and then specify the packet for which you would like the IPS to event, should that packet go missing?

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card