Solved: how to create a custom IPS rule to drop specific MD5, SHA, hashes

TsadikuBahiru78025 · ‎08-12-2022

Dears,

Please help in creating an IPS rule that can drop a specific MD5, SHA hashes

Marvin Rhoads · ‎08-12-2022

Only SHA hashes are supported. You add them to a Custom Detection List (under Objects, Object Management, File List) and then make sure the feature is enabled under your File Policy and the file policy is applied in your Access Control Policy rules. Note you will only be able to detect files which are passing unencrypted through the devices. Normally that does not include anything in an SSL/TLS session (unless you have SSL decryption active for that flow). So... almost all of your web traffic is not normally seen by such a policy

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/network-malware-protection.html#ID-2193-00000296

View solution in original post

Marvin Rhoads · ‎08-12-2022

Only SHA hashes are supported. You add them to a Custom Detection List (under Objects, Object Management, File List) and then make sure the feature is enabled under your File Policy and the file policy is applied in your Access Control Policy rules. Note you will only be able to detect files which are passing unencrypted through the devices. Normally that does not include anything in an SSL/TLS session (unless you have SSL decryption active for that flow). So... almost all of your web traffic is not normally seen by such a policy

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/network-malware-protection.html#ID-2193-00000296

TsadikuBahiru78025 · ‎08-14-2022

Dear Marvin,

Thank you for the solution.