Video Screencast Help

Multiple "content" fields in custom IPS signatures

Created: 23 Aug 2012 • Updated: 09 Feb 2013 | 3 comments
This issue has been solved. See solution.

 I rely on the help built-in to SEPM and the tech docs here a lot, however, recently I've run into a few lack of examples - the "here it is used in a real-world example". Being a visual learner, I love to see an example after an explanation.

This brings up the topic I'm questioning today. I never really caught this before - maybe it's new, maybe I just missed it all these years, but I see in the custom IPS signatures that the content apparently can appear multiple times in a signature string, unlike the other sections such as dest, saddr and so on.

They say that " Arguments that are followed by an ellipsis may be repeated."
 I can "guess" because if I key in on the word "argument" then it appears as if the word content, wich is an argument, can appear more than one time. But should I interpret that help bit so literally?

It's great to see that it can appear multiple times. But what exactly does that mean, how should it be laid out?
Does that mean, for example ->

  • This - content="a-string", "B-string"
  • or This - content="a-string, b-string"
  • or This - content="a-string", content="b-string"

A simple single example, just one of the above to follow-up the statement "Arguments that are followed by an ellipsis may be repeated" to show what that means.
How should it be written?
If an argument can be used certain ways, please show us in a real example - in a full rule that most of us might be able to "get".
At this point, I have dozens of rules that could be condensed into maybe just a small handful if I knew how the 'content' argument can be used multiple times.
I see examples in some other places - the source for example - says source, then tells what it is, then gives an example of how to use it.

Comments 3 CommentsJump to latest comment

ᗺrian's picture

content="a-string", content="b-string"

That's what I've seen work. I really wish there was more docs out there on custom IPS.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ShadowsPapa's picture

SEP's Custom IPS is one of the most under-utilized and most powerful features (besides application control, device control, firewall, standard IPS, AV and malware detection, etc.)

Because so many things are portable - can be changed daily if not more often, IP address filtering doesn't work very well any more. However, if you have a string, you can filter on that.

We get alerts very nearly daily now on "web attacks", and I've found often it's the same attack found by multiple users - on different sites. It's often because of the bloody advertising these webmasters subscribe to.... so I can't block all these sites by address, I'd kill many legit sites, and miss threats that move to a different server or host the next day. But I can block the URL, or even specific files and pages. I can even kill the links to some of the worst offender advertising code.

Anyway, thanks for the tip - I'll give that a try, especially in cases where there's multiple strings for the same site or threat I need to manage.

ᗺrian's picture

Do you use regex in your signatures?

I'm working on IPS signatures to block generic file names in the event of an outbreak and struggling somewhat to get it to work....

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.