IPS How to create signature to block a specific IP?

Unanswered Question
Sep 24th, 2008

I'm running an IPS and i would like to know the parameters to block a specific IP when creating/configuring a new signature.

I'm trying to block youtube's IP address by signature and be able to see the alerts-logs of computers trying to access it.

I know the youtube block can be done with IOS but i need this on the IPS.

Thank you,

zeek

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
wsulym Wed, 09/24/2008 - 09:46

I know I dropped this onto some other posting, but it was just easier for me to find it and re-post it... All you do here is use the "atomic-ip" engine, and specify a destination IP address.

Traffic destined to some ip address aaa.bbb.ccc.ddd

sig-name connect to IP address xxx.xxx.xxx.xxx

> engine atomic-ip

> event-action produce-verbose-alert

> specify-ip-addr-options yes

> ip-addr-options ip-addr

> specify-src-ip-addr no

> specify-dst-ip-addr yes

> dst-ip-addr: aaa.bbb.ccc.ddd

mhellman Wed, 09/24/2008 - 11:53

It would be more effective and robust to block based on URL. Take a look at 3202-0 for an example.

Zeek Ferraros Thu, 08/02/2012 - 09:13

Sorry it has been a while, but I am looking at the 3202 signature and can see a specific Regex [.][Uu][Rr][Ll][ \t\n\r]

Is there a regex translator/creator link I can use to generate my own or understand the regex expression?

Another question: I would like to use this signature to generate an alert of IPs (hosts) using a specific site (for example: dropbox.com). If I configured this signature with the http service to look for IPs accessing dropbox.com, how much will this signature affect the performance of the IPS engine?

Thanks in advance

Actions

This Discussion