About custom IPS signatures

Article:HOWTO18308  |  Created: 2009-01-03  |  Updated: 2009-01-17  |  Article URL http://www.symantec.com/docs/HOWTO18308
Article Type
How To


About custom IPS signatures

The client contains an additional IPS engine that supports packet-based signatures. Both the stream-based and packet-based engines detect signatures in the network data that attack the TCP/IP stack, operating system components, and the application layer. But packet-based signatures can detect attacks in the TCP/IP stack earlier than stream-based signatures.

The packet-based engine does not detect the signatures that span multiple packets. The packet-based IPS engine is more limited in that it does not buffer partial matches and scans single packet payloads only.

Packet-based signatures examine a single packet that matches a rule. The rule is based on various criteria, such as port, protocol, source or destination IP address, TCP flag number, or an application. For example, a custom signature can monitor the packets of information that are received for the string “phf” in GET / cgi-bin/phf? as an indicator of a CGI program attack. Each packet is evaluated for that specific pattern. If the packet of traffic matches the rule, the client allows or blocks the packet and optionally logs the event in the Packet log.

A custom IPS signature includes the following parts:

  • Descriptive name

    The name and the description appears in the Security Log and optionally the Packet Log.

  • Optional description

  • Severity

    Provides a level of severity for the event in the Security Log if the event triggers the signature.

  • Traffic direction

  • Content

    The content is the syntax. Use the following standard syntax:

    rule protocol-type, [protocol-options,] [ip-protocol options,] 
    msg, content...
    • rule protocol-type, [protocol-options,] [ip-protocol option,] = The traffic description.

    • msg = The text string that appears in the Security Log.

    • content = The string that is matched against the payload component in the packet for a possible match.

  • Optional application

    Optionally, you can provide the application name that triggers the signature. The IPS engine can then match the signature for only the specified applications instead of all applications. By providing the application name, you can also help reduce the false positives that other applications may generate.

  • Action to be taken when the event triggers the signature.

    When a signature is triggered, the traffic is allowed or blocked and this action is logged in the Security Log. You should block the traffic if the severity is high. Allow the traffic if you only want to monitor the traffic. You can optionally write the event to the Packet Log. The Packet Log contains a packet dump of the transaction.

Signatures can cause false positives because they are often based on regular expressions and string matches. The custom signatures use both criteria to look for strings when trying to match a packet.

The client does not include custom signatures by default. You create custom IPS signatures.

See Creating custom IPS signatures.

Legacy ID


Article URL http://www.symantec.com/docs/HOWTO18308

Terms of use for this information are found in Legal Notices