Video Screencast Help

Custom IPS Signature

Created: 21 Mar 2013 • Updated: 25 Mar 2013 | 5 comments
diabolicus23's picture
This issue has been solved. See solution.

I'd like to create a custom IPS Signature that permit to know wich process tries to open a connection to an IP on one port.

Is it possible to do this with custom IPS Signature?

Which is the syntax to use?

 

 

Thanks!

Comments 5 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

I don't think that is possible with custom IPS Signature.

The IPS signatures are packet-based.

Unlike Symantec signatures, custom signatures scan single packet payloads only. However, custom signatures can detect attacks in the TCP/IP stack earlier than the Symantec signatures.

Packet-based signatures examine a single packet that matches a rule. The rule is based on various criteria, such as port, protocol, source or destination IP address, TCP flag number, or an application. For example, a custom signature can monitor the packets of information that are received for the string "phf" in GET / cgi-bin/phf? as an indicator of a CGI program attack. Each packet is evaluated for that specific pattern. If the packet of traffic matches the rule, the client allows or blocks the packet.

You can specify whether or not Symantec Endpoint Protection logs a detection from custom signatures in the Packet log.

Check these Articles:

About custom IPS signatures

http://www.symantec.com/docs/HOWTO80930

Creating custom IPS signatures

http://www.symantec.com/docs/HOWTO27083

Managing custom intrusion prevention signatures

http://www.symantec.com/docs/HOWTO55161

Defining variables for custom IPS signatures

http://www.symantec.com/docs/HOWTO55453

Changing the order of custom IPS signatures

http://www.symantec.com/docs/HOWTO55464

Testing custom IPS signatures

http://www.symantec.com/docs/HOWTO55177

Adding signatures to a custom IPS library

http://www.symantec.com/docs/HOWTO55170

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

_Brian's picture

You would be able to monitor the port it tries to open but I don't believe you can get the process to show. IPS watches network traffic (packets) so I think this is beyond the scope. You should be able to get port usage though.

All Custom IPS syntax is in the Install and Admin guide starting on page 1121 Appendix E

It is the best resource you will likely find. It is very detailed. I've atached it

AttachmentSize
Installation_and_Administration_Guide_SEP12.1.2.pdf 10.11 MB
diabolicus23's picture

Maybe it's the firewall the component that could help me find this kind of info...

_Brian's picture

Absolutely.

If you know the exact app/port, you could create a rule to log its traffic.

If you don't, you could create a Log all Apps rule and filter out what you're looking for.

SOLUTION
diabolicus23's picture

Mission accomplished!

Firewall component helped me to find what I was looking for.

 

Thanks!