Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

How to apply signatures to IDS 3.0

I got signatures for yahoo , icq chat etc. I want to apply them to Cisco IDS using CSPM.

I want to tear the connection whenever signature match occurs for any of the chat programs.

Please let me know where and how to put the signatures and also, how do I configure the CSPM to tear the connection.

Cisco Employee

Re: How to apply signatures to IDS 3.0

CSPM has screens for Custom Connection Signatures (TCP SYN packets to specific ports, and UDP packets to specific ports). These can be used if your signatures are just looking for SYN packets to some port.

If they are UDP packets then they can have the connection torn down.

If they are TCP packets then you can set the action to TCP Reset.

NOTE: For the TCP Reset to work with the TCP Connection Signature you will need to add the line "LevelOfTrafficLogging 4" to the Epilogue configuration in CSPM. Normally the sig will fire for SYN packets, but the SYN packet does not contain enough information for the Reset to work, so setting LevelOfTrafficLogging to 4 changes the sig to fire on SYN/ACK packets which do have enough information to reset the connection.

CSPM also has screens for Custom String Matches. If you signatures are regular expressions then you can enter them as Custom String Matches and configure an action of TCP Reset.

If, however, you are trying to create a Custom Signature that uses the signature engines in 3.1, then you will need to use IDM or .SigWizMenu to create the signatures and set the actions to TCP Reset.

Once the signatures are created you can then copy the lines from the SigUser.conf and SigSettings.conf file for those signatures and paste them into the Epilogue window in CSPM (it pastes those exact lines to the bottom of packetd.conf).

CreatePlease to create content