Re: Custom signatures - IP address field

arshir · ‎05-06-2004

Hello,

I'm trying to create a simple custom signature - just to detect unexpected traffic on a network segment (not necessarily malicious traffic - just any traffic).

In order to achieve that (and let me know if there are simplier ways), I was going to create a new atomic IP signature, that would fire any time a packet to or from an unexpected IP address is seen.

On the signature parameters screen, there are two fields - for source and destination IP addresses.

My question is - what format do those fields accept ? Or even better, what is the most efficient way to encode something like "10.0.0.0-10.0.0.255, but not 10.0.0.30" ? I know that it accepts "x.x.x.x" format with a subnet mask; does this mean that the best I can do is create a bunch of separate signatures using IP addresses/subnet masks that would essentially cover the "10.0.0.0-10.0.0.29, 10.0.0.31-10.0.0.255" range ?

Ideally, I'd want to put all IP addresses that should not appear on my network into one big list in a single signature.

Note that the "Creating Custom Signatures" paragraph in "IDS Device Manager Configuration Tasks" document does not mention anything about accepted values for those fields.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#31540

Thanks,

Arsen

mcerha · ‎05-07-2004

You cannot place ranges or comma seperated lists into the DstIpAddr or SrcIpAddr parameters. You can only specify a single address. This can be a single subnet or individual IP. Like this:

DstIpAddr 10.0.0.0

DstIpMask 255.255.255.0

SrcIpAddr 10.0.0.1

SrcIpMask 255.255.255.255

The alternate approach, at the expense of more processing, would be to create a custom signature using the ATOMIC engines without IP addresses and a pair of signature filters. The first suppressing the custom signature for all addresses. The second specifically excluding the IP ranges you want to alarm on from the general filter.