I am trying to convert this two snort signature into cisco ids sigs. since this is my first time using the custom signature function, can someone helps me out here, especially the regular expression part?
Snort Sig 1.
alert tcp any any -> any any (msg:"Agobot/Phatbot Infection
Successful"; flow:established; content:"221 Goodbye, have a good
infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity;
Here is a translation of the regexes that should work:
content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"
221 Goodbye,[ ]have a good[ ]infection[ ]\x3a\x29\x2e\x0d\x0a
Note: A word of caution about the ServicePorts parameters. Setting them to all TCP ports like the Snort signature is likely to cause a fairly negative performance impact on your sensor. One possible way to lessen the impact would be to use the ATOMIC.TCP engine instead of STRING.TCP. Just substitute the SinglePacketRegex parameter for RegexString, and set the following:
This causes alittle less overhead in your signatures, but it is also going to cause a significant load on your sensor. It is best to limit the port range if you can.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...