About custom IPS signatures
|Article:HOWTO18308|||||Created: 2009-01-03|||||Updated: 2009-01-17|||||Article URL http://www.symantec.com/docs/HOWTO18308|
The client contains an additional IPS engine that supports packet-based signatures. Both the stream-based and packet-based engines detect signatures in the network data that attack the TCP/IP stack, operating system components, and the application layer. But packet-based signatures can detect attacks in the TCP/IP stack earlier than stream-based signatures.
The packet-based engine does not detect the signatures that span multiple packets. The packet-based IPS engine is more limited in that it does not buffer partial matches and scans single packet payloads only.
Packet-based signatures examine a single packet that matches a rule. The rule is based on various criteria, such as port, protocol, source or destination IP address, TCP flag number, or an application. For example, a custom signature can monitor the packets of information that are received for the string “phf” in GET / cgi-bin/phf? as an indicator of a CGI program attack. Each packet is evaluated for that specific pattern. If the packet of traffic matches the rule, the client allows or blocks the packet and optionally logs the event in the Packet log.
A custom IPS signature includes the following parts:
rule protocol-type, [protocol-options,] [ip-protocol options,] msg, content...
Optionally, you can provide the application name that triggers the signature. The IPS engine can then match the signature for only the specified applications instead of all applications. By providing the application name, you can also help reduce the false positives that other applications may generate.
When a signature is triggered, the traffic is allowed or blocked and this action is logged in the Security Log. You should block the traffic if the severity is high. Allow the traffic if you only want to monitor the traffic. You can optionally write the event to the Packet Log. The Packet Log contains a packet dump of the transaction.
Article URL http://www.symantec.com/docs/HOWTO18308