Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Custom Signature

I want to create a custom signature to detect ftp traffic on ports other than port 21. Would I want to use Atomic.tcp or String.tcp? Can I use an asterik for all ports? and what RegexString value would I use? Thanks for any help.

3 REPLIES
Bronze

Re: Custom Signature

First, I would be very careful about adding a signature that tries to examine all TCP ports. This will most likely cause a large impact to the performance of the sensor. Here is a SigWizMenu screenshot of a possible signature:

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine ATOMIC.TCP SIGID 20000

SigName: FTP Server Traffic

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold = 100

4 - DstPort =

5 - FlipAddr =

6 - LimitSummary =

7 * Mask = ACK

8 - MaxInspectLength =

9 - MinHits =

10 - PortRange =

11 - ResetAfterIdle = 15

12 - SigComment =

13 - SigName = FTP Server Traffic

14 - SigStringInfo =

15 - SinglePacketRegex = [2][2][0]

16 - SourcePorts =

17 - SrcPort =

18 * StorageKey = SRC

19 * TcpFlags = ACK

20 - ThrottleInterval = 30

21 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

This looks for a 220 condition code from a FTP server. It should listen to all ports by default. Again, this signature will most likely cause a significant perfomance hit to the sensor and should be used with caution.

Community Member

Re: Custom Signature

You're right but the performance hit wasn't too bad. Packetd went from ~10% to ~20% CPU usage. I have another question: This custom sig is massively alarming on all other tcp connection request i.e. web, mail, and everything. Is there more condition code I can add to this sig so that it only fires on FTP service? Thanks for any help.

Bronze

Re: Custom Signature

Ok, you might try this regex as a replacement:

[2][2][0].*[Ff][Tt][Pp].*[\r\n]

This won't obviously work if the FTP server doesn't return the keyword FTP in its banner. It should catch most servers though.

87
Views
0
Helpful
3
Replies
CreatePlease to create content