Re: custom signature- SigName

darin.marais · ‎02-25-2005

I have created a custom signature with idsmc 2.01 and during the creation it asked for a name. I entered the name that I wanted to use for the signature but when I received an event for the signature in SecMon, the name that appeared was the default name which is equivalent to the signature engine

SigName: STRING.TCP <defaulted>

Can some one tell me where you update the name filed on idsmc signature configuration?

gabelar · ‎02-27-2005

I haven't see this problem before. You may want to try to boot the sensor when you get a chance, if you haven't done so yet. It may be that when you create a custom sig that it will instantly enforce the sig but not complete compile the sig and correctly change the name until a boot is done.

darin.marais · ‎02-28-2005

I have rebooted the sensor as you indicated but the SigName on the custom signature that I created remain the same. (STRING.TCP)

These are the steps that I followed to create the signature where as follows

1. I used the management centre for ids sensors version 2.01

2. I selected the group to which the sensor belongs

3. I select signature/ IDS 4.x

4. Under the selection for Select group, you have two choices built-in/custom

5. I chose custom and then add

6. I selected the engine string.tcp and gave the signature a name along with its selected reg-expression and other parameters.

7. I the used the quick deploy on IDSMC to send the custom signature the group of sensors

The signature was deployed with all of the correct values and settings but the SigName was not changed from its default.

darin.marais · ‎04-02-2005

I thought that I might just update this thread for anyone else that maybe experiencing the same problems in 2.01 idsmc. I have been told that this problem i described above is a bug and that it has been fixed in 2.02

CSCsa43631 Custom Signature - Name not getting deployed

CSCsa55723 Custom Signatures do not hold their name after Upgrade