I have done a previous search and realize that there is no good way to convert Snort signatures to Cisco IDS/IPS custom signatures. I was wondering if anyone has ever converted the Snort "state-based" TCP string matched signature into something that Cisco IDS/IPS can interpret. For example:
ALERT TCP ANY ANY -> ANY ANY (MSG:"CLIENT_TO_SERVER_SIG";FLOW:TO_SERVER, ESTABLISHED; FLOWBITS: SET, C_TO_S; FLOWBITS: NOALERT; CONTENT: "|00 01 00 01|"; OFFSET:0; DEPTH: 5; SID: 1234567890; REV:1)
ALERT TCP ANY ANY -> ANY ANY (MSG:"CLIENT_TO_SERVER_SIG";FLOW:TO_CLIENT, ESTABLISHED; CONTENT:'|01 00 00 00|"; OFFSET:0; DEPTH: 5; FLOWBITS: ISSET, C_TO_S; SID: 1234567890; REV:1)
So basically the first rule does not alert but sets the state so that when the client initiates the client to server connection with the appropriate payload match, and the server responds with a designated payload match then fire the alert.
Is there any way to do this with TCP string matching within Cisco IDS/IPS custom signatures? Thanks in advance!
ray