Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
460
Views
0
Helpful
2
Replies

help me build a custom sig

slug420
Level 1
Level 1

‎09-13-2006 07:40 AM - edited ‎03-10-2019 03:13 AM

Can I build a signature (and if so can you walk me through how) to alert me of any traffic containing "filename.exe"?

So that for example if an email was on its way to our mailserver with such a file attached or a user was downloading such a file via FTP or through a link in a web page, I could reset the connection or at least generate an alert indicating the activity was taking place?

Labels:
0 Helpful
2 Replies 2

a-vazquez
Level 6
Level 6

‎09-19-2006 10:07 AM

The documentation on creating custom signatures for your reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/clisgdef.htm#wp1042406

0 Helpful

mhellman
Level 7
Level 7

‎09-19-2006 11:46 AM

You could just create a string TCP signature similar to 3130-0 that only looks for the filename (on ports 21,25,80). You can 'clone' button to copy an existing sig. That would be pretty generic and may be prone to false positives though.

You could also create 3 signatures that are more specific to the protocols you want to inspect (SMTP,HTTP,FTP). Take a look at 3110-0 for how you would do this with the SMTP state engine. See 5326-0 for an HTTP engine example (this detects GET requests only though, not files returned from a POST request). The 3110 example above should work for FTP (port 21).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card