Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
0
Helpful
1
Replies

SNORT state-based signature to Cisco IDS custom signature

redray8
Level 1
Level 1

‎11-03-2008 11:22 AM - edited ‎03-10-2019 04:21 AM

I have done a previous search and realize that there is no good way to convert Snort signatures to Cisco IDS/IPS custom signatures. I was wondering if anyone has ever converted the Snort "state-based" TCP string matched signature into something that Cisco IDS/IPS can interpret. For example:

ALERT TCP ANY ANY -> ANY ANY (MSG:"CLIENT_TO_SERVER_SIG";FLOW:TO_SERVER, ESTABLISHED; FLOWBITS: SET, C_TO_S; FLOWBITS: NOALERT; CONTENT: "|00 01 00 01|"; OFFSET:0; DEPTH: 5; SID: 1234567890; REV:1)

ALERT TCP ANY ANY -> ANY ANY (MSG:"CLIENT_TO_SERVER_SIG";FLOW:TO_CLIENT, ESTABLISHED; CONTENT:'|01 00 00 00|"; OFFSET:0; DEPTH: 5; FLOWBITS: ISSET, C_TO_S; SID: 1234567890; REV:1)

So basically the first rule does not alert but sets the state so that when the client initiates the client to server connection with the appropriate payload match, and the server responds with a designated payload match then fire the alert.

Is there any way to do this with TCP string matching within Cisco IDS/IPS custom signatures? Thanks in advance!

ray

Labels:
0 Helpful
1 Reply 1

redray8
Level 1
Level 1

‎11-04-2008 11:45 AM

I believe I have figured out that this is possible using a Meta Engine match on multiple signatures - at least looking at one of the pre-defined signatures such as 5748.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card