Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NIDS Signatures for CSA?

I understand that CSA is a behavior based HIDS. But what I would like to do, if possible, is supplement its policies with network layer signatures for monitoring purposes. Basically I would like to identify known exploit attempts.

Is this available/possible?


Re: NIDS Signatures for CSA?

CSA can act as a file monitor for known exploits by using a file monitor rule. You just need to know what you are looking for.

You can also create rules to monitor network connections by address and\or port.

Not sure if this is what you are looking for.

Tom S

New Member

Re: NIDS Signatures for CSA?

Not quite what I'm looking for. I know I can do what you mentioned aboved, but I want to do something extra. For example, I want to monitor for WMF Buffer Overflows. I can't just monitor every JPG ever accessed, and even so I wouldn't get what IP triggered it. So I would like my user to be able to visit a web page, and perhaps on that web page is a bad image, and I would like to trigger an event based on the return traffic (the browser receiving the image that is trying to run the exploit) that tells me the image file name and site's IP address.


Re: NIDS Signatures for CSA?

You could create a rule that logs when a browser opens a WMF and triggers the buffer overflow rule. It would also depend on how the OS handles WMFs since it writes it to temp before rendering it.

I don't know if you could get the address.

Most systems would stop that exploit anyway if the AV or patch level stops it.

New Member

Re: NIDS Signatures for CSA?

It would be nice if you could link Rules (App rule + Network rule), or at the very least choose what level of information is logged instead of simply Enabling flat logging of the event.

So there is a rule that actually detects Buffer Overflows? I'm going to have to pick that apart and see how it works...