Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
1
Replies

SNORT state-based signature to Cisco IDS custom signature

redray8
Level 1
Level 1

‎11-03-2008 11:22 AM - edited ‎03-10-2019 04:21 AM

I have done a previous search and realize that there is no good way to convert Snort signatures to Cisco IDS/IPS custom signatures. I was wondering if anyone has ever converted the Snort "state-based" TCP string matched signature into something that Cisco IDS/IPS can interpret. For example:

ALERT TCP ANY ANY -> ANY ANY (MSG:"CLIENT_TO_SERVER_SIG";FLOW:TO_SERVER, ESTABLISHED; FLOWBITS: SET, C_TO_S; FLOWBITS: NOALERT; CONTENT: "|00 01 00 01|"; OFFSET:0; DEPTH: 5; SID: 1234567890; REV:1)

ALERT TCP ANY ANY -> ANY ANY (MSG:"CLIENT_TO_SERVER_SIG";FLOW:TO_CLIENT, ESTABLISHED; CONTENT:'|01 00 00 00|"; OFFSET:0; DEPTH: 5; FLOWBITS: ISSET, C_TO_S; SID: 1234567890; REV:1)

So basically the first rule does not alert but sets the state so that when the client initiates the client to server connection with the appropriate payload match, and the server responds with a designated payload match then fire the alert.

Is there any way to do this with TCP string matching within Cisco IDS/IPS custom signatures? Thanks in advance!

ray

Labels:
0 Helpful
1 Reply 1

redray8
Level 1
Level 1

‎11-04-2008 11:45 AM

I believe I have figured out that this is possible using a Meta Engine match on multiple signatures - at least looking at one of the pre-defined signatures such as 5748.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card