Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

Signatures for a recent CERT advisory...

For those who just might want to use the IPS to help detect and block sites listed in a recent CERT advisory.

Here's how you'd do it.

Both signatures are written using the ATOMIC-IP engine. I'll just point out the fields that need to be changed, I'll leave out things like sig name and severity, and you can change the actions to whatever you desire.

Case 1:

Traffic destined to some ip address aaa.bbb.ccc.ddd

sig-name connect to IP address

> engine atomic-ip

> event-action produce-verbose-alert

> specify-ip-addr-options yes

> ip-addr-options ip-addr

> specify-src-ip-addr no

> specify-dst-ip-addr yes

> dst-ip-addr: aaa.bbb.ccc.ddd

Case 2:

A DNS query for something.

sig-name DNS query

> engine atomic-ip

> event-action produce-verbose-alert

> specify-l4-protocol yes

> l4-protocol udp

> specify-dst-port yes

> dst-port 53

> specify-payload-inspection yes

> regex-string (see below on what should be here)

For the dns regex, you need to be aware that the query will take the form of:

length-byte -- characters -- length-byte -- characters

So something like 2 characters, 6 characters, then 3 characters. Gets strung together as such:


That is the regex to catch regardless of case in a dns query (UDP).

(note that the dots in the name, do not appear in the regex string)