Video Screencast Help

IPS Custom Signature

Created: 04 Feb 2014 | 10 comments

Hi,

 

I'm trying to create a custom signature copied from Snort's ET and I always get an error.

The signature is as follows:

rule tcp, dest=$ANY, tcp_flag&ack, saddr=$LOCALHOST, msg="BHEK Landing URI Format", regexpcontent=".*\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php\x0d\x0a"

I have 2 variables defined:

ANY (0.0.0.0/0)

LOCALHOST (127.0.0.0/8)

 

Can anyone help?

Operating Systems:

Comments 10 CommentsJump to latest comment

_Brian's picture

Set the dest variable to dest(0)

The full signature should be:

rule tcp, dest=(0), tcp_flag&ack, saddr=$LOCALHOST, msg="BHEK Landing URI Format", regexpcontent=".*\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php\x0d\x0a"

Jorge Pinto's picture

I am still getting the error.

_Brian's picture

Interesting. I added it in my test box and applied the custom IPS signature without errors.

I do know that dest(0) is how it should be. The syntax that SEP uses is very close to Snort but not exact.

Rafeeq's picture

Whats the error you are getting?

Jorge Pinto's picture

failed to apply a new IPS library . The client may not restart properly if it is stopped. Please see file debug.log for detailed information. Correct the error in the IPS library in the management server before restarting the client.

Jorge Pinto's picture

Hi,

The error is Category: 0,Smc,FATAL: failed to apply a new IPS library . The client may not restart properly if it is stopped. Please see file debug.log for detailed information. Correct the error in the IPS library in the management server before restarting the client.

I don't have debugging active.

Rafeeq's picture

Jorge, 

are you trying this from SEPM or from SEP interface?

 

greg12's picture

$LOCALHOST is predefined. It's the address of the computer running the client. See the custom IPS online help in SEPM (Syntax for custom IPS signatures/IP protocol arguments). There may be a conflict with your own one.

According to this article, you have to put a wildcard (.*) before and after a regular expression.

So the signature should be:

rule tcp, dest=(0), tcp_flag&ack, saddr=$LOCALHOST, msg="BHEK Landing URI Format", regexpcontent=".*\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php\x0d\x0a.*"

Keep in mind that this is case sensitive. Perhaps you have to change it for covering capitals too.

###EDIT

I don't think the "{32}" syntax is working. Of course it should work in every RE idiom, but the SEP incarnation is poor frown

SameerU's picture

Hi

Please refer the article below and let me know if this helps

http://www.symantec.com/business/support/index?pag...

Regards

 

_Brian's picture

Have you gotten this working?