Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

Signatures for a recent CERT advisory...

For those who just might want to use the IPS to help detect and block sites listed in a recent CERT advisory.

Here's how you'd do it.

Both signatures are written using the ATOMIC-IP engine. I'll just point out the fields that need to be changed, I'll leave out things like sig name and severity, and you can change the actions to whatever you desire.

Case 1:

Traffic destined to some ip address aaa.bbb.ccc.ddd

sig-name connect to IP address xxx.xxx.xxx.xxx

> engine atomic-ip

> event-action produce-verbose-alert

> specify-ip-addr-options yes

> ip-addr-options ip-addr

> specify-src-ip-addr no

> specify-dst-ip-addr yes

> dst-ip-addr: aaa.bbb.ccc.ddd

Case 2:

A DNS query for something.

sig-name DNS query

> engine atomic-ip

> event-action produce-verbose-alert

> specify-l4-protocol yes

> l4-protocol udp

> specify-dst-port yes

> dst-port 53

> specify-payload-inspection yes

> regex-string (see below on what should be here)

For the dns regex, you need to be aware that the query will take the form of:

length-byte -- characters -- length-byte -- characters

So something like my.domain.com 2 characters, 6 characters, then 3 characters. Gets strung together as such:

\x02[Mm][Yy]\x06[Dd][Oo][Mm][Aa][Ii][Nn]\x03[Cc][Oo][Mm]

That is the regex to catch my.domain.com regardless of case in a dns query (UDP).

(note that the dots in the name, do not appear in the regex string)

119
Views
0
Helpful
0
Replies