Solved: Re: Need help creating a custom signature please

mjuckett · ‎09-16-2004

Good morning,

I have been asked by management to create a signature that will detect all traffic from a particular IP on our network. This is how I tried to set it up:

String.tcp engine

ServicePorts: 1-65535 (Yes I realize this will cause a significant impact on sensor performance)

StorageKey: =STREAM (took default)

Direction: FromService

Protocol: =TCP

SummaryKey: Axxx (took default)

RegexString: [192][.][168][.][0][.][1]

This has yielded nothing from the desired IP address. I have gotten a few hits from incorrect IPs, but nothing from the one I want. I know the IP address is sending traffic past the sensor as I can see connections to that IP on the firewall. Can someone point out what I am doing wrong please? Is there a better engine to do this with?

Any help would be appreciated!

Thanks,

MJ

micballa · ‎09-16-2004

I believe if you used the atomic IP engine as follows you will get the results you are looking for:

Engine ATOMIC.L3.IP

Protocol =IP

ResetAfterIdle 15

SrcIpAddr 192.168.0.1

SrcIpMask 255.255.255.255

View solution in original post

micballa · ‎09-16-2004

I believe if you used the atomic IP engine as follows you will get the results you are looking for:

Engine ATOMIC.L3.IP

Protocol =IP

ResetAfterIdle 15

SrcIpAddr 192.168.0.1

SrcIpMask 255.255.255.255

mjuckett · ‎09-16-2004

Thank you very much. I have pushed that out to the needed sensor. Now I just have to wait for the user to return to work to test it.

Thanks again,

MJ

mjuckett · ‎09-22-2004

That worked great. Thank you so much.

MJ