05-06-2004 01:26 PM - edited 03-09-2019 07:18 AM
Hello,
I'm trying to create a simple custom signature - just to detect unexpected traffic on a network segment (not necessarily malicious traffic - just any traffic).
In order to achieve that (and let me know if there are simplier ways), I was going to create a new atomic IP signature, that would fire any time a packet to or from an unexpected IP address is seen.
On the signature parameters screen, there are two fields - for source and destination IP addresses.
My question is - what format do those fields accept ? Or even better, what is the most efficient way to encode something like "10.0.0.0-10.0.0.255, but not 10.0.0.30" ? I know that it accepts "x.x.x.x" format with a subnet mask; does this mean that the best I can do is create a bunch of separate signatures using IP addresses/subnet masks that would essentially cover the "10.0.0.0-10.0.0.29, 10.0.0.31-10.0.0.255" range ?
Ideally, I'd want to put all IP addresses that should not appear on my network into one big list in a single signature.
Note that the "Creating Custom Signatures" paragraph in "IDS Device Manager Configuration Tasks" document does not mention anything about accepted values for those fields.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#31540
Thanks,
Arsen
05-07-2004 11:21 AM
You cannot place ranges or comma seperated lists into the DstIpAddr or SrcIpAddr parameters. You can only specify a single address. This can be a single subnet or individual IP. Like this:
DstIpAddr 10.0.0.0
DstIpMask 255.255.255.0
SrcIpAddr 10.0.0.1
SrcIpMask 255.255.255.255
The alternate approach, at the expense of more processing, would be to create a custom signature using the ATOMIC engines without IP addresses and a pair of signature filters. The first suppressing the custom signature for all addresses. The second specifically excluding the IP ranges you want to alarm on from the general filter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide