Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

new signatures


Is it possible to write custome sigantures to address this new ftp vulnerability as well as badtran worm.



New Member

Re: new signatures

Hi Ross,

Here is a screenshot of the parameters you will need to enter in SigWiz Menu for the wu-ftpd vulnerability.

Current Signature: Engine STRING.TCP SIGID 20000

SigName: wu-ftpd heap corruption


0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - MaxInspectLength =

7 - MinHits = 1

8 - MinMatchLength =

9 - MultipleHits =

10 * RegexString = [ \t][~].*[{][^}]*[\r\n]

11 - ResetAfterIdle = 15

12 - ServicePorts = 21

13 - SigComment =

14 - SigName = wu-ftpd heap corruption

15 - SigStringInfo = Unbalanced {

16 - StripTelnetOptions =

17 - ThrottleInterval = 15

18 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

We are currently working on the badtrans virus and will let you know as soon as it is ready


Note: The first square backet in the regex has a white space followed by \t.[ \t]

New Member

Re: new signatures

Would you please clarify for the novice where I set these settings? I have not created my own signatures yet and I am interested in doing so.

Thank you,


Cisco Employee

Re: new signatures

Use the SigWiz utility that comes with the 3.0 IDS product. It takes the parameters listed and generates the appropriate configuration file entries.

You can check the config file to see what it auto-generated for you.

Cisco Employee

Re: new signatures

For more information on using SigWizMenu refer to:

The section on Adding New Custom Signatures is what you are asking for.

CreatePlease login to create content