cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
479
Views
0
Helpful
2
Replies

IDS-User-Defined Signature

lathian
Level 1
Level 1

Can I create a custom Signature and apply it to IDSM ? For instance, if I want IDS to catch any traffic with specific string or URL( MSOffice/cltreq.asp), what should I do ? Any advice on Custom Signature would much appreciate.

Thanks in advance

2 Replies 2

marcabal
Cisco Employee
Cisco Employee

The IDSM has a feature known as Custom String Signatures.

Within CSPM's signature configuration windows there should be a tab for creating Custom Strings.

Simply enter the regular expression that you are looking (i.e. enter the string), and then state what service ports you want it to look for that string. Currently the Custom String feature only works on TCP Connections and can not be used for UDP based connections.

NOTE: The Custom String feature is different from the Custom Signature feature available on the appliance. (Custom String is also supported on the appliance).

The Custom String only can search the data in a TCP connection to the specified port.

With Custom Signatures on the appliance you can search on UDP Connections as well as TCP, and can also write signatures that look at the packet headers themselves rather than just the data in the connection.

Thanks for your info. Very appreciated. One more question for you. On my IIS 5.0 Server log file, I have seen a lot of hit with "www.mydomain.com/Msoffice/cltreq.asp". I would like to block all this traffic. I have added "[/]MSoffice" as a custom String and set it block. But it didn't work. I have not seen any signature in IDS database and still seem the hits in log file. According to this link: http://www.trusecure.com/knowledge/hypeorhot/2001/tsa01024.shtml, it is a nimda hit. Any advice would much appreciate.

Thanks