IPS How to create signature to block a specific IP?

Shannon Sutter · ‎09-24-2008

I'm running an IPS and i would like to know the parameters to block a specific IP when creating/configuring a new signature.

I'm trying to block youtube's IP address by signature and be able to see the alerts-logs of computers trying to access it.

I know the youtube block can be done with IOS but i need this on the IPS.

Thank you,

zeek

wsulym · ‎09-24-2008

I know I dropped this onto some other posting, but it was just easier for me to find it and re-post it... All you do here is use the "atomic-ip" engine, and specify a destination IP address.

Traffic destined to some ip address aaa.bbb.ccc.ddd

sig-name connect to IP address xxx.xxx.xxx.xxx

> engine atomic-ip

> event-action produce-verbose-alert

> specify-ip-addr-options yes

> ip-addr-options ip-addr

> specify-src-ip-addr no

> specify-dst-ip-addr yes

> dst-ip-addr: aaa.bbb.ccc.ddd

mhellman · ‎09-24-2008

It would be more effective and robust to block based on URL. Take a look at 3202-0 for an example.

Shannon Sutter · ‎08-02-2012

Sorry it has been a while, but I am looking at the 3202 signature and can see a specific Regex [.][Uu][Rr][Ll][ \t\n\r]

Is there a regex translator/creator link I can use to generate my own or understand the regex expression?

Another question: I would like to use this signature to generate an alert of IPs (hosts) using a specific site (for example: dropbox.com). If I configured this signature with the http service to look for IPs accessing dropbox.com, how much will this signature affect the performance of the IPS engine?

Thanks in advance