Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
0
Helpful
4
Replies

new signatures

r.zekic
Level 1
Level 1

‎11-30-2001 08:59 AM - edited ‎03-08-2019 09:18 PM

Hi,

Is it possible to write custome sigantures to address this new ftp vulnerability as well as badtran worm.

regards,

Ross

Labels:
0 Helpful
4 Replies 4

rdhamank
Level 1
Level 1

‎11-30-2001 01:29 PM

Hi Ross,

Here is a screenshot of the parameters you will need to enter in SigWiz Menu for the wu-ftpd vulnerability.

Current Signature: Engine STRING.TCP SIGID 20000

SigName: wu-ftpd heap corruption

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - MaxInspectLength =

7 - MinHits = 1

8 - MinMatchLength =

9 - MultipleHits =

10 * RegexString = [ \t][~].*[{][^}]*[\r\n]

11 - ResetAfterIdle = 15

12 - ServicePorts = 21

13 - SigComment =

14 - SigName = wu-ftpd heap corruption

15 - SigStringInfo = Unbalanced {

16 - StripTelnetOptions =

17 - ThrottleInterval = 15

18 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

We are currently working on the badtrans virus and will let you know as soon as it is ready

Rohit

Note: The first square backet in the regex has a white space followed by \t.[ \t]

0 Helpful

chrisv
Level 1
Level 1
In response to rdhamank

‎12-03-2001 07:20 AM

Would you please clarify for the novice where I set these settings? I have not created my own signatures yet and I am interested in doing so.

Thank you,

Chris

0 Helpful

scothrel
Level 3
Level 3
In response to chrisv

‎12-03-2001 07:51 AM

Use the SigWiz utility that comes with the 3.0 IDS product. It takes the parameters listed and generates the appropriate configuration file entries.

You can check the config file to see what it auto-generated for you.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to scothrel

‎12-03-2001 11:56 AM

For more information on using SigWizMenu refer to:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/12216_02.htm#xtocid1115818

The section on Adding New Custom Signatures is what you are asking for.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents