Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1032
Views
5
Helpful
6
Replies

IDS Custom Signature

lcduncan
Level 1
Level 1

‎02-07-2005 07:43 PM - edited ‎03-10-2019 01:16 AM

Lost of people have asked this question but I don't see an answer so......

How can I create a custom signature to detect streaming video? I understand that you can detect the traffic using "mime type"? I also understand that you can use the file types (.ram, .rm, .asx) to filter the traffic as well.

Labels:
0 Helpful
6 Replies 6

a.arndt
Level 3
Level 3

‎02-08-2005 08:05 AM

I haven't had a chance to look at this in any detail, so I'll just offer a quick suggestion.

Use the TCP.STREAM engine, use the WEB_PORTS variable to identify what ports to monitor, and then use a regular expression (regex) to define what extensions or MIME types you want to isolate.

Here's a quick example regex to look for file extensions:

.ram|.rm|.asx|.avi|.wmf

You could even fancy it up by using the following:

.[Rr][Aa][Mm]|.[Rr][Mm]|.[Aa][Ss][Xx]|.[Aa][Vv][Ii]|.[Ww][Mm][Ff]

This will detect the extension in either lowercase, uppercase or mixed case.

You could look at the regex details of SigID 3110 (SMTP Suspicious Attachment) to give you some ideas too...

I hope this helps,

Alex Arndt

0 Helpful

craiwill
Cisco Employee
Cisco Employee
In response to a.arndt

‎02-08-2005 09:10 AM

You must escape the . character or it will be translated to [^\n]. You should enclose it in a character class or use the hex encoding (\x2E).

Regards,

Craig

0 Helpful

lcduncan
Level 1
Level 1
In response to craiwill

‎02-08-2005 01:01 PM

This may be asking too much but I've never configured a custom signature. Can someone give me cookie cutter?

0 Helpful

lcduncan
Level 1
Level 1
In response to craiwill

‎02-08-2005 08:18 PM

Can you give me the complete statement that I can cut and paste into the sensor?

0 Helpful

rupadras
Cisco Employee
Cisco Employee

‎02-08-2005 05:06 PM

You can create your custom signatures by logging onto the IDS using the CLI or the web interface. To create a custom signature using the web interface, log onto the IDS Device Manager (IDM) by visiting the URL https://. Click on the Configuration tab, and then the Sensing Engine link. Click on the "Signature Wizard" link on the left side. Start the wizard and enter the signature parameters.

The minimal signature parameters you generally enter are the signature type (HTTP, TCP, UDP, IP, ICMP, stream, or a single packet), signature ID and subsignature ID, service ports, regular expression, and the direction of the traffic. You can also finetune other parameters. Clicking on the "Help" link brings a detailed help document.

Let me know if this helps,

Radhika

nataraj_v
Level 1
Level 1
In response to rupadras

‎02-09-2005 05:15 AM

Its better to do it from web interface as ur doing it for first time .

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a008035809d.html

look at the above link for tune-micro-engines.

Regards

Nataraj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card