IPS How to create signature to block a specific IP?

Unanswered Question
Sep 24th, 2008
User Badges:

I'm running an IPS and i would like to know the parameters to block a specific IP when creating/configuring a new signature.

I'm trying to block youtube's IP address by signature and be able to see the alerts-logs of computers trying to access it.

I know the youtube block can be done with IOS but i need this on the IPS.

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
wsulym Wed, 09/24/2008 - 09:46
User Badges:
  • Cisco Employee,

I know I dropped this onto some other posting, but it was just easier for me to find it and re-post it... All you do here is use the "atomic-ip" engine, and specify a destination IP address.

Traffic destined to some ip address aaa.bbb.ccc.ddd

sig-name connect to IP address xxx.xxx.xxx.xxx

> engine atomic-ip

> event-action produce-verbose-alert

> specify-ip-addr-options yes

> ip-addr-options ip-addr

> specify-src-ip-addr no

> specify-dst-ip-addr yes

> dst-ip-addr: aaa.bbb.ccc.ddd

mhellman Wed, 09/24/2008 - 11:53
User Badges:
  • Blue, 1500 points or more

It would be more effective and robust to block based on URL. Take a look at 3202-0 for an example.

Zeek Ferraros Thu, 08/02/2012 - 09:13
User Badges:

Sorry it has been a while, but I am looking at the 3202 signature and can see a specific Regex [.][Uu][Rr][Ll][ \t\n\r]

Is there a regex translator/creator link I can use to generate my own or understand the regex expression?

Another question: I would like to use this signature to generate an alert of IPs (hosts) using a specific site (for example: dropbox.com). If I configured this signature with the http service to look for IPs accessing dropbox.com, how much will this signature affect the performance of the IPS engine?

Thanks in advance


This Discussion