Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

help me build a custom sig

Can I build a signature (and if so can you walk me through how) to alert me of any traffic containing "filename.exe"?

So that for example if an email was on its way to our mailserver with such a file attached or a user was downloading such a file via FTP or through a link in a web page, I could reset the connection or at least generate an alert indicating the activity was taking place?

2 REPLIES
Silver

Re: help me build a custom sig

The documentation on creating custom signatures for your reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/clisgdef.htm#wp1042406

Gold

Re: help me build a custom sig

You could just create a string TCP signature similar to 3130-0 that only looks for the filename (on ports 21,25,80). You can 'clone' button to copy an existing sig. That would be pretty generic and may be prone to false positives though.

You could also create 3 signatures that are more specific to the protocols you want to inspect (SMTP,HTTP,FTP). Take a look at 3110-0 for how you would do this with the SMTP state engine. See 5326-0 for an HTTP engine example (this detects GET requests only though, not files returned from a POST request). The 3110 example above should work for FTP (port 21).

121
Views
0
Helpful
2
Replies
CreatePlease login to create content