Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
304
Views
0
Helpful
3
Replies

Custom Signature

ddinh
Level 1
Level 1

‎08-19-2002 09:30 AM - edited ‎03-08-2019 11:59 PM

I want to create a custom signature to detect ftp traffic on ports other than port 21. Would I want to use Atomic.tcp or String.tcp? Can I use an asterik for all ports? and what RegexString value would I use? Thanks for any help.

Labels:
0 Helpful
3 Replies 3

mcerha
Level 3
Level 3

‎08-19-2002 11:53 AM

First, I would be very careful about adding a signature that tries to examine all TCP ports. This will most likely cause a large impact to the performance of the sensor. Here is a SigWizMenu screenshot of a possible signature:

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine ATOMIC.TCP SIGID 20000

SigName: FTP Server Traffic

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold = 100

4 - DstPort =

5 - FlipAddr =

6 - LimitSummary =

7 * Mask = ACK

8 - MaxInspectLength =

9 - MinHits =

10 - PortRange =

11 - ResetAfterIdle = 15

12 - SigComment =

13 - SigName = FTP Server Traffic

14 - SigStringInfo =

15 - SinglePacketRegex = [2][2][0]

16 - SourcePorts =

17 - SrcPort =

18 * StorageKey = SRC

19 * TcpFlags = ACK

20 - ThrottleInterval = 30

21 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

This looks for a 220 condition code from a FTP server. It should listen to all ports by default. Again, this signature will most likely cause a significant perfomance hit to the sensor and should be used with caution.

0 Helpful

ddinh
Level 1
Level 1
In response to mcerha

‎08-20-2002 11:28 AM

You're right but the performance hit wasn't too bad. Packetd went from ~10% to ~20% CPU usage. I have another question: This custom sig is massively alarming on all other tcp connection request i.e. web, mail, and everything. Is there more condition code I can add to this sig so that it only fires on FTP service? Thanks for any help.

0 Helpful

mcerha
Level 3
Level 3
In response to ddinh

‎08-21-2002 08:38 AM

Ok, you might try this regex as a replacement:

[2][2][0].*[Ff][Tt][Pp].*[\r\n]

This won't obviously work if the FTP server doesn't return the keyword FTP in its banner. It should catch most servers though.

0 Helpful
Customers Also Viewed These Support Documents