Hello,
I'm trying to create a simple custom signature - just to detect unexpected traffic on a network segment (not necessarily malicious traffic - just any traffic).
In order to achieve that (and let me know if there are simplier ways), I was going to create a new atomic IP signature, that would fire any time a packet to or from an unexpected IP address is seen.
On the signature parameters screen, there are two fields - for source and destination IP addresses.
My question is - what format do those fields accept ? Or even better, what is the most efficient way to encode something like "10.0.0.0-10.0.0.255, but not 10.0.0.30" ? I know that it accepts "x.x.x.x" format with a subnet mask; does this mean that the best I can do is create a bunch of separate signatures using IP addresses/subnet masks that would essentially cover the "10.0.0.0-10.0.0.29, 10.0.0.31-10.0.0.255" range ?
Ideally, I'd want to put all IP addresses that should not appear on my network into one big list in a single signature.
Note that the "Creating Custom Signatures" paragraph in "IDS Device Manager Configuration Tasks" document does not mention anything about accepted values for those fields.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#31540
Thanks,
Arsen