Doc/Custom Signature Examples for IPS

Unanswered Question
Apr 3rd, 2009

Are there any additional sources of information for creating custom signatures for IPS? I am working with a SSM-10 module in an ASA. The product docs are great for install and basic tuning but I need a bit more for signatures/actions.

We are trying to stop dictionary attacks being thown at one of our servers and would like to shut down access to a source address after a few failed tries.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Wed, 04/15/2009 - 23:17

What kind of application is this? If its using active directory logon then there is a built-in signature that you can clone and modify as necessary. Other protocols also have authentication signatures AFAIK. If its not already there you need to use the link provided by htarra to create a signature yourself. If the protocol is clear-text you can just do a regular string signature to look for the auth. failure string/OP code.



jtcollins Thu, 04/16/2009 - 06:50

Hi Farrukh,

It is RADIUS authentication using IAS. The client has numerous services/devices that are exposed and use this type of authentication. Someone is throwing dictionary attacks against them all the time. I had hoped to be able to shut this down based on source IP after about three failed attempts.

Do you know if there are any existing signatures that could be modified to accomplish this?



ruppala Fri, 05/01/2009 - 11:05

If you can provide us with the pcaps of the failed login attempts , i will be able to look into it and see if a signature is possible.

Thanks ,


IPS Signature Engineering

Cisco Systems Inc


This Discussion