SNORT state-based signature to Cisco IDS custom signature

Unanswered Question
Nov 3rd, 2008

I have done a previous search and realize that there is no good way to convert Snort signatures to Cisco IDS/IPS custom signatures. I was wondering if anyone has ever converted the Snort "state-based" TCP string matched signature into something that Cisco IDS/IPS can interpret. For example:

ALERT TCP ANY ANY -> ANY ANY (MSG:"CLIENT_TO_SERVER_SIG";FLOW:TO_SERVER, ESTABLISHED; FLOWBITS: SET, C_TO_S; FLOWBITS: NOALERT; CONTENT: "|00 01 00 01|"; OFFSET:0; DEPTH: 5; SID: 1234567890; REV:1)

ALERT TCP ANY ANY -> ANY ANY (MSG:"CLIENT_TO_SERVER_SIG";FLOW:TO_CLIENT, ESTABLISHED; CONTENT:'|01 00 00 00|"; OFFSET:0; DEPTH: 5; FLOWBITS: ISSET, C_TO_S; SID: 1234567890; REV:1)

So basically the first rule does not alert but sets the state so that when the client initiates the client to server connection with the appropriate payload match, and the server responds with a designated payload match then fire the alert.

Is there any way to do this with TCP string matching within Cisco IDS/IPS custom signatures? Thanks in advance!

ray

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
redray8 Tue, 11/04/2008 - 11:45

I believe I have figured out that this is possible using a Meta Engine match on multiple signatures - at least looking at one of the pre-defined signatures such as 5748.

Actions

This Discussion