Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
0
Helpful
1
Replies

Custom signatures - searching and alerting for specific data

5creedus
Level 1
Level 1

‎06-28-2005 09:36 AM - edited ‎03-10-2019 01:30 AM

Can Cisco NIDS version 4.x do custom searches by looking within the data load and search for specific pieces of data (phone numbers, email address) and set off alerts?

Labels:
0 Helpful
1 Reply 1

a.arndt
Level 3
Level 3

‎07-04-2005 05:47 AM

The short answer is "Yes, it can."

The detailed answer, though, requires further information to be properly provided.

In order to determine what signature engine to use, you have to consider the traffic you want to inspect. Obviously, inspecting LDAP over TCP would be done using a different signature engine than what you would use to look for the same data in IM traffic via UDP. If you want to check out if this data is available via people accessing a web server, yet another signature engine is required.

The next trick is to properly construct your regular expression (aka - regex) in order to identify and report the data your looking for. If you're looking for many disparate data types, you might be better off creating signatures for each data element you want to find (one for phone numbers, one for e-mail addresses).

Also, when constructing the regex, you have to determine if you're looking for known values (555-1212 or me@you.net) or just data that resembles what you want to find (anything that resembles NNN-NNNN or

@.).

Obviously, the regex gets far more complicated if your matching format versus a known pattern.

Anyway, those are the big ones. The final consideration involves the reporting parameters. If you want to know about each and every pattern match, you'll configure the signature one way. If you just want to know that it's seeing packets with your pattern in it and receive an update at a set interval (say, 30 minutes), you'd configure it another way.

In summary, you can definitely build a signature to identify and alert based on contents of a packet. You just need to do a bit of planning in order to build one that will meet your needs effectively.

I hope this helps,

Alex Arndt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card