Signatures for a recent CERT advisory...

Unanswered Question
Dec 13th, 2007

For those who just might want to use the IPS to help detect and block sites listed in a recent CERT advisory.

Here's how you'd do it.

Both signatures are written using the ATOMIC-IP engine. I'll just point out the fields that need to be changed, I'll leave out things like sig name and severity, and you can change the actions to whatever you desire.

Case 1:

Traffic destined to some ip address aaa.bbb.ccc.ddd

sig-name connect to IP address xxx.xxx.xxx.xxx

> engine atomic-ip

> event-action produce-verbose-alert

> specify-ip-addr-options yes

> ip-addr-options ip-addr

> specify-src-ip-addr no

> specify-dst-ip-addr yes

> dst-ip-addr: aaa.bbb.ccc.ddd

Case 2:

A DNS query for something.

sig-name DNS query

> engine atomic-ip

> event-action produce-verbose-alert

> specify-l4-protocol yes

> l4-protocol udp

> specify-dst-port yes

> dst-port 53

> specify-payload-inspection yes

> regex-string (see below on what should be here)

For the dns regex, you need to be aware that the query will take the form of:

length-byte -- characters -- length-byte -- characters

So something like my.domain.com 2 characters, 6 characters, then 3 characters. Gets strung together as such:

\x02[Mm][Yy]\x06[Dd][Oo][Mm][Aa][Ii][Nn]\x03[Cc][Oo][Mm]

That is the regex to catch my.domain.com regardless of case in a dns query (UDP).

(note that the dots in the name, do not appear in the regex string)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion