thank you ,but can you give me one exemple of custome signature with configuration to make it in the sensor.

because i didn't found where to put for exemple the @ip of servers which i want to make warnning for them.

Depending on whether the servers in question are the source (attacker) of the traffic or destination (victim) will determine where you would place the server IP addresses in the signature.

This is a simple signature definition using a signature variable for multiple IP address storage. This signature is in no way designed to detect the exact behavior you are interested in capturing:

signatures 60001 0
sig-description
sig-name Atomic IP Detection
sig-string-info An IP address of interest was detected.
exit
engine atomic-ip
specify-ip-addr-options yes
ip-addr-options ip-addr
specify-src-ip-addr yes
src-ip-addr $SERVERS

You will, of course, need to choose the approriate signature engine to provide inspection to meet your requirements.

Scott

so with this configuration !! i will receive a warnning when one of users will make a log windows.???

tank you for collaboration 

No, the above was just a  sample signature on how to add a variable as the source IP address in a signature.

You will need to determine the traffic profile for the behavior for which you are attempting to create a signature.  You may be able to do this by performing packet captures using Wireshark, or a similar tool.

Once you determine what the traffic looks like, you can determine the correct signature engine to use, and what specific details need to be caught by the signature.  Not having access to your network, I cannot create a solution to meet your needs.  This is an activity that you will need to perform on your own.

If you are wanting to monitor logins to Windows servers, it may be better to implement audit logging on the servers in question, and monitor those access for these activities.

Scott

yes ,i can but i'll not receive a warnning message

how you can help me ,if i wanna just have a warnning for a log windows in some servers .or try just for one.

the exemple is : when for exemple i'll make a log windiw in server x the IDS will give me a warnning for the log to tell me some one makes a log windows in server x

I cannot write a specific signature for you since I do not have access to your network to see exactly what packets traverse the network during the activity you are wanting to alert on.  This is effort you will need to perform yourself.

There are several signatures already present on the IPS sensor that detect failed logons and such (5606/0, 5726/0-1, 5739/0-1), you may be able to use one of these signatures as a basis for creating a custom signature to detect a successful logon.

If this logon activity takes place using an encrypted channel, the IPS will not be able to detect this activity and alert you since the IPS cannot decrypt this communication.  The most effective manner for monitoring Windows server logins is through the monitoring of the local Windows event logs via a remote monitoring tool.

Scott

thank you scott