IDS-User-Defined Signature

lathian · ‎08-16-2002

Can I create a custom Signature and apply it to IDSM ? For instance, if I want IDS to catch any traffic with specific string or URL( MSOffice/cltreq.asp), what should I do ? Any advice on Custom Signature would much appreciate.

Thanks in advance

marcabal · ‎08-16-2002

The IDSM has a feature known as Custom String Signatures.

Within CSPM's signature configuration windows there should be a tab for creating Custom Strings.

Simply enter the regular expression that you are looking (i.e. enter the string), and then state what service ports you want it to look for that string. Currently the Custom String feature only works on TCP Connections and can not be used for UDP based connections.

NOTE: The Custom String feature is different from the Custom Signature feature available on the appliance. (Custom String is also supported on the appliance).

The Custom String only can search the data in a TCP connection to the specified port.

With Custom Signatures on the appliance you can search on UDP Connections as well as TCP, and can also write signatures that look at the packet headers themselves rather than just the data in the connection.

lathian · ‎08-19-2002

Thanks for your info. Very appreciated. One more question for you. On my IIS 5.0 Server log file, I have seen a lot of hit with "www.mydomain.com/Msoffice/cltreq.asp". I would like to block all this traffic. I have added "[/]MSoffice" as a custom String and set it block. But it didn't work. I have not seen any signature in IDS database and still seem the hits in log file. According to this link: http://www.trusecure.com/knowledge/hypeorhot/2001/tsa01024.shtml, it is a nimda hit. Any advice would much appreciate.

Thanks