Can I create a custom Signature and apply it to IDSM ? For instance, if I want IDS to catch any traffic with specific string or URL( MSOffice/cltreq.asp), what should I do ? Any advice on Custom Signature would much appreciate.
The IDSM has a feature known as Custom String Signatures.
Within CSPM's signature configuration windows there should be a tab for creating Custom Strings.
Simply enter the regular expression that you are looking (i.e. enter the string), and then state what service ports you want it to look for that string. Currently the Custom String feature only works on TCP Connections and can not be used for UDP based connections.
NOTE: The Custom String feature is different from the Custom Signature feature available on the appliance. (Custom String is also supported on the appliance).
The Custom String only can search the data in a TCP connection to the specified port.
With Custom Signatures on the appliance you can search on UDP Connections as well as TCP, and can also write signatures that look at the packet headers themselves rather than just the data in the connection.
Thanks for your info. Very appreciated. One more question for you. On my IIS 5.0 Server log file, I have seen a lot of hit with "www.mydomain.com/Msoffice/cltreq.asp". I would like to block all this traffic. I have added "[/]MSoffice" as a custom String and set it block. But it didn't work. I have not seen any signature in IDS database and still seem the hits in log file. According to this link: http://www.trusecure.com/knowledge/hypeorhot/2001/tsa01024.shtml, it is a nimda hit. Any advice would much appreciate.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :