Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SNORT state-based signature to Cisco IDS custom signature

I have done a previous search and realize that there is no good way to convert Snort signatures to Cisco IDS/IPS custom signatures. I was wondering if anyone has ever converted the Snort "state-based" TCP string matched signature into something that Cisco IDS/IPS can interpret. For example:

ALERT TCP ANY ANY -> ANY ANY (MSG:"CLIENT_TO_SERVER_SIG";FLOW:TO_SERVER, ESTABLISHED; FLOWBITS: SET, C_TO_S; FLOWBITS: NOALERT; CONTENT: "|00 01 00 01|"; OFFSET:0; DEPTH: 5; SID: 1234567890; REV:1)

ALERT TCP ANY ANY -> ANY ANY (MSG:"CLIENT_TO_SERVER_SIG";FLOW:TO_CLIENT, ESTABLISHED; CONTENT:'|01 00 00 00|"; OFFSET:0; DEPTH: 5; FLOWBITS: ISSET, C_TO_S; SID: 1234567890; REV:1)

So basically the first rule does not alert but sets the state so that when the client initiates the client to server connection with the appropriate payload match, and the server responds with a designated payload match then fire the alert.

Is there any way to do this with TCP string matching within Cisco IDS/IPS custom signatures? Thanks in advance!

ray

1 REPLY
New Member

Re: SNORT state-based signature to Cisco IDS custom signature

I believe I have figured out that this is possible using a Meta Engine match on multiple signatures - at least looking at one of the pre-defined signatures such as 5748.

222
Views
0
Helpful
1
Replies
CreatePlease login to create content