Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Custom IPS Signature

Created: 21 Mar 2013 • Updated: 25 Mar 2013 | 5 comments
diabolicus23's picture
This issue has been solved. See solution.

I'd like to create a custom IPS Signature that permit to know wich process tries to open a connection to an IP on one port.

Is it possible to do this with custom IPS Signature?

Which is the syntax to use?


Comments 5 CommentsJump to latest comment

Mithun Sanghavi's picture


I don't think that is possible with custom IPS Signature.

The IPS signatures are packet-based.

Unlike Symantec signatures, custom signatures scan single packet payloads only. However, custom signatures can detect attacks in the TCP/IP stack earlier than the Symantec signatures.

Packet-based signatures examine a single packet that matches a rule. The rule is based on various criteria, such as port, protocol, source or destination IP address, TCP flag number, or an application. For example, a custom signature can monitor the packets of information that are received for the string "phf" in GET / cgi-bin/phf? as an indicator of a CGI program attack. Each packet is evaluated for that specific pattern. If the packet of traffic matches the rule, the client allows or blocks the packet.

You can specify whether or not Symantec Endpoint Protection logs a detection from custom signatures in the Packet log.

Check these Articles:

About custom IPS signatures

Creating custom IPS signatures

Managing custom intrusion prevention signatures

Defining variables for custom IPS signatures

Changing the order of custom IPS signatures

Testing custom IPS signatures

Adding signatures to a custom IPS library

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Brɨan's picture

You would be able to monitor the port it tries to open but I don't believe you can get the process to show. IPS watches network traffic (packets) so I think this is beyond the scope. You should be able to get port usage though.

All Custom IPS syntax is in the Install and Admin guide starting on page 1121 Appendix E

It is the best resource you will likely find. It is very detailed. I've atached it

Installation_and_Administration_Guide_SEP12.1.2.pdf 10.11 MB

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

diabolicus23's picture

Maybe it's the firewall the component that could help me find this kind of info...

Brɨan's picture


If you know the exact app/port, you could create a rule to log its traffic.

If you don't, you could create a Log all Apps rule and filter out what you're looking for.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

diabolicus23's picture

Mission accomplished!

Firewall component helped me to find what I was looking for.