Symanec Protection Suites

 View Only

  • 1.  Multiple "content" fields in custom IPS signatures

    Posted Aug 23, 2012 09:38 AM

     I rely on the help built-in to SEPM and the tech docs here a lot, however, recently I've run into a few lack of examples - the "here it is used in a real-world example". Being a visual learner, I love to see an example after an explanation.

    This brings up the topic I'm questioning today. I never really caught this before - maybe it's new, maybe I just missed it all these years, but I see in the custom IPS signatures that the content apparently can appear multiple times in a signature string, unlike the other sections such as dest, saddr and so on.

    They say that " Arguments that are followed by an ellipsis may be repeated."
     I can "guess" because if I key in on the word "argument" then it appears as if the word content, wich is an argument, can appear more than one time. But should I interpret that help bit so literally?

    It's great to see that it can appear multiple times. But what exactly does that mean, how should it be laid out?
    Does that mean, for example ->

    • This - content="a-string", "B-string"
    • or This - content="a-string, b-string"
    • or This - content="a-string", content="b-string"

    A simple single example, just one of the above to follow-up the statement "Arguments that are followed by an ellipsis may be repeated" to show what that means.
    How should it be written?
    If an argument can be used certain ways, please show us in a real example - in a full rule that most of us might be able to "get".
    At this point, I have dozens of rules that could be condensed into maybe just a small handful if I knew how the 'content' argument can be used multiple times.
    I see examples in some other places - the source for example - says source, then tells what it is, then gives an example of how to use it.



  • 2.  RE: Multiple "content" fields in custom IPS signatures
    Best Answer

    Posted Oct 30, 2012 10:06 AM

    content="a-string", content="b-string"

    That's what I've seen work. I really wish there was more docs out there on custom IPS.



  • 3.  RE: Multiple "content" fields in custom IPS signatures

    Posted Oct 31, 2012 10:16 AM

    SEP's Custom IPS is one of the most under-utilized and most powerful features (besides application control, device control, firewall, standard IPS, AV and malware detection, etc.)

    Because so many things are portable - can be changed daily if not more often, IP address filtering doesn't work very well any more. However, if you have a string, you can filter on that.

    We get alerts very nearly daily now on "web attacks", and I've found often it's the same attack found by multiple users - on different sites. It's often because of the bloody advertising these webmasters subscribe to.... so I can't block all these sites by address, I'd kill many legit sites, and miss threats that move to a different server or host the next day. But I can block the URL, or even specific files and pages. I can even kill the links to some of the worst offender advertising code.

    Anyway, thanks for the tip - I'll give that a try, especially in cases where there's multiple strings for the same site or threat I need to manage.



  • 4.  RE: Multiple "content" fields in custom IPS signatures

    Posted Nov 01, 2012 11:11 AM

    Do you use regex in your signatures?

    I'm working on IPS signatures to block generic file names in the event of an outbreak and struggling somewhat to get it to work....