IPS How to create signature to block a specific IP?

Unanswered Question
Sep 24th, 2008
User Badges:

I'm running an IPS and i would like to know the parameters to block a specific IP when creating/configuring a new signature.

I'm trying to block youtube's IP address by signature and be able to see the alerts-logs of computers trying to access it.

I know the youtube block can be done with IOS but i need this on the IPS.

Thank you,

zeek

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
wsulym Wed, 09/24/2008 - 09:46
User Badges:
  • Cisco Employee,

I know I dropped this onto some other posting, but it was just easier for me to find it and re-post it... All you do here is use the "atomic-ip" engine, and specify a destination IP address.




Traffic destined to some ip address aaa.bbb.ccc.ddd


sig-name connect to IP address xxx.xxx.xxx.xxx

> engine atomic-ip

> event-action produce-verbose-alert

> specify-ip-addr-options yes

> ip-addr-options ip-addr

> specify-src-ip-addr no

> specify-dst-ip-addr yes

> dst-ip-addr: aaa.bbb.ccc.ddd

mhellman Wed, 09/24/2008 - 11:53
User Badges:
  • Blue, 1500 points or more

It would be more effective and robust to block based on URL. Take a look at 3202-0 for an example.

Zeek Ferraros Thu, 08/02/2012 - 09:13
User Badges:

Sorry it has been a while, but I am looking at the 3202 signature and can see a specific Regex [.][Uu][Rr][Ll][ \t\n\r]

Is there a regex translator/creator link I can use to generate my own or understand the regex expression?


Another question: I would like to use this signature to generate an alert of IPs (hosts) using a specific site (for example: dropbox.com). If I configured this signature with the http service to look for IPs accessing dropbox.com, how much will this signature affect the performance of the IPS engine?


Thanks in advance

Actions

This Discussion