Signatures for a recent CERT advisory...

Unanswered Question
Dec 13th, 2007
User Badges:
  • Cisco Employee,

For those who just might want to use the IPS to help detect and block sites listed in a recent CERT advisory.


Here's how you'd do it.


Both signatures are written using the ATOMIC-IP engine. I'll just point out the fields that need to be changed, I'll leave out things like sig name and severity, and you can change the actions to whatever you desire.


Case 1:

Traffic destined to some ip address aaa.bbb.ccc.ddd


sig-name connect to IP address xxx.xxx.xxx.xxx

> engine atomic-ip

> event-action produce-verbose-alert

> specify-ip-addr-options yes

> ip-addr-options ip-addr

> specify-src-ip-addr no

> specify-dst-ip-addr yes

> dst-ip-addr: aaa.bbb.ccc.ddd




Case 2:

A DNS query for something.


sig-name DNS query

> engine atomic-ip

> event-action produce-verbose-alert

> specify-l4-protocol yes

> l4-protocol udp

> specify-dst-port yes

> dst-port 53

> specify-payload-inspection yes

> regex-string (see below on what should be here)



For the dns regex, you need to be aware that the query will take the form of:

length-byte -- characters -- length-byte -- characters


So something like my.domain.com 2 characters, 6 characters, then 3 characters. Gets strung together as such:

\x02[Mm][Yy]\x06[Dd][Oo][Mm][Aa][Ii][Nn]\x03[Cc][Oo][Mm]

That is the regex to catch my.domain.com regardless of case in a dns query (UDP).

(note that the dots in the name, do not appear in the regex string)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion