08-16-2002 01:15 PM - edited 03-08-2019 11:58 PM
Can I create a custom Signature and apply it to IDSM ? For instance, if I want IDS to catch any traffic with specific string or URL( MSOffice/cltreq.asp), what should I do ? Any advice on Custom Signature would much appreciate.
Thanks in advance
08-16-2002 02:21 PM
The IDSM has a feature known as Custom String Signatures.
Within CSPM's signature configuration windows there should be a tab for creating Custom Strings.
Simply enter the regular expression that you are looking (i.e. enter the string), and then state what service ports you want it to look for that string. Currently the Custom String feature only works on TCP Connections and can not be used for UDP based connections.
NOTE: The Custom String feature is different from the Custom Signature feature available on the appliance. (Custom String is also supported on the appliance).
The Custom String only can search the data in a TCP connection to the specified port.
With Custom Signatures on the appliance you can search on UDP Connections as well as TCP, and can also write signatures that look at the packet headers themselves rather than just the data in the connection.
08-19-2002 03:52 PM
Thanks for your info. Very appreciated. One more question for you. On my IIS 5.0 Server log file, I have seen a lot of hit with "www.mydomain.com/Msoffice/cltreq.asp". I would like to block all this traffic. I have added "[/]MSoffice" as a custom String and set it block. But it didn't work. I have not seen any signature in IDS database and still seem the hits in log file. According to this link: http://www.trusecure.com/knowledge/hypeorhot/2001/tsa01024.shtml, it is a nimda hit. Any advice would much appreciate.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide