Signatures for a recent CERT advisory...

Unanswered Question
Dec 13th, 2007
User Badges:
  • Cisco Employee,

For those who just might want to use the IPS to help detect and block sites listed in a recent CERT advisory.

Here's how you'd do it.

Both signatures are written using the ATOMIC-IP engine. I'll just point out the fields that need to be changed, I'll leave out things like sig name and severity, and you can change the actions to whatever you desire.

Case 1:

Traffic destined to some ip address aaa.bbb.ccc.ddd

sig-name connect to IP address

> engine atomic-ip

> event-action produce-verbose-alert

> specify-ip-addr-options yes

> ip-addr-options ip-addr

> specify-src-ip-addr no

> specify-dst-ip-addr yes

> dst-ip-addr: aaa.bbb.ccc.ddd

Case 2:

A DNS query for something.

sig-name DNS query

> engine atomic-ip

> event-action produce-verbose-alert

> specify-l4-protocol yes

> l4-protocol udp

> specify-dst-port yes

> dst-port 53

> specify-payload-inspection yes

> regex-string (see below on what should be here)

For the dns regex, you need to be aware that the query will take the form of:

length-byte -- characters -- length-byte -- characters

So something like 2 characters, 6 characters, then 3 characters. Gets strung together as such:


That is the regex to catch regardless of case in a dns query (UDP).

(note that the dots in the name, do not appear in the regex string)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion