Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create a Custom IPS Signature

You are here: Security Services > IPS > Signatures.

Create custom attack objects to detect a known or unknown attack for protecting your network.

To create a custom IPS signature:

  1. Click the CUSTOM tab.
  2. Click Create > Custom on the upper-right corner of the Custom Signatures page.
    The Create Custom Attack page appears.
  3. Complete the configuration according to the guidelines provided from Table 1 to Table 4.
  4. Click OK to save the changes. If you want to discard your changes, click Cancel.

    You are returned to the Custom Signatures page and displays the custom signatures that you successfully created.

Table 1: Fields on the IPS Signatures Page—Create Custom
Field Action

General

Name

Enter the name of the custom attack object. 250-character maximum.

Description

Enter a description for the custom attack object.

Recommended action

Select an action from the list to perform when the device detects an attack:

  • None—No action is taken. Use this action to only generate logs for some traffic.

  • Close—Reset the client and the server.

  • Close client—Closes the connection and sends an RST packet to the client but not to the server.

  • Close server—Closes the connection and sends an RST packet to the server but not to the client.

  • Drop—Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

  • Drop packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source-IP address.

  • Ignore—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

Severity

Select a severity from the list that matches the attack object severity on your network:

  • Critical—Contains attack objects matching exploits that attempt to evade detection, cause a network device to crash, or gain system-level privileges.

  • Info—Contains attack objects that matches the following parameters:

    • Normal and harmless traffic containing URLs

    • DNS lookup failures

    • SNMP public community strings

    • Peer-to-Peer (P2P)

  • Major—Contains attack objects that matches the exploits that attempt to:

    • Disrupt a service.

    • Gain user-level access to a network device.

    • Activate a Trojan horse previously loaded on a device.

  • Minor—Contains attack objects that matches the exploits that detect reconnaissance efforts attempting to access vital informational through directory traversal or information leaks.

  • Warning—Contains attack objects that matches the exploits that attempt to obtain noncritical information or scan a network with a scanning tool.

Detection Filter

Time count

Set the number of times that the attack object must detect an attack within the specified scope. The detection occurs before the device determines if or not the attack object matches the attack.

Range: 0 through 4,294,967,295

Time scope

Select the scope from the list within which the count occurs:

  • None—No action is taken. Use this option when you only want to generate logs for some traffic.

  • Destination—Detects the signature in traffic from the destination IP address for the specified number of times, regardless of the source IP address.

  • Session—Detects the signature in traffic between source and destination IP addresses of the sessions for the specified number of times.

  • Source—Detects the signature in traffic from the source IP address for the specified number of times, regardless of the destination IP address.

Time interval

Enter the maximum time interval between any two instances of a time-binding custom attack.

Supported format is MMm-SSs.

Range: 0 minutes and 0 seconds to 60 minutes and 0 seconds.

Signature

Attack type

Select one of the following attack type from the list:

  • Signature—IPS uses stateful signatures to detect attacks. Using stateful signatures, IPS look for the specific protocol or service that was used to carry out the attack. For fields description, see Table 2.

  • Anomaly—Protocol anomaly attack objects detect abnormal or ambiguous messages within a connection using the protocol's set of rules. For fields description, see Table 3.

  • Chain—Chain attack object combines multiple signatures and/or protocol anomalies into a single object. Traffic must match all of the combined signatures and/or protocol anomalies to match the chain attack object. For fields description, see Table 4.

Table 2: Fields on the Attack Type—Signature
Field Action

Attack type

Signature—IPS uses stateful signatures to detect attacks. Using stateful signatures, IPS look for the specific protocol or service that was used to carry out the attack.

Context

Select an attack context from the list which defines the location of the signature where IPS should look for the attack in a specific Application Layer protocol.

Protocol binding

Select a protocol from the list that the attack uses to enter your network.

Application

Select an application from the list under which the attack must match.

Note:

This option is available only when protocol binding type is Application.

Protocol number

Set the transport layer protocol number which allows IPS to match the attack to it.

Range: 0 through 139

Note:

This option is available only when protocol binding type is IP and IPv6.

Program number

Set the remote procedure call (RPC) program number which allows to match the attack to it.

Note:

This option is available only when protocol binding type is RPC.

Minimum port

Set the minimum port in the port range.

Range: 0 through 65,535

Note:

This option is available only when protocol binding type is TCP.

Maximum port

Set the maximum port in the port range.

Range: 0 through 65,535

Note:

This option is available only when protocol binding type is TCP.

Direction

Select the traffic direction from the list for which the attack is detected:

  • Client to Server—Detects the attack only in client-to-server traffic.

  • Server to Client—Detects the attack only in server-to-client traffic.

  • Any Direction—Detects the attack in either direction.

Content

DFA pattern

Enter the signature pattern in deterministic finite automation (DFA) format.

For example:

When you use the syntax: \[hello\], pattern is hello and it is case insensitive.

Example matches for the syntax are hElLo, HEllO, and heLLO.

PCRE pattern

Enter the signature pattern in standard Perl Compatible Regular Expression (PCRE) format.

Example syntax: Sea[ln], pattern is Seal and it is case insensitive.

Example matches for the syntax are Seal, Seam, and Sean

Depth

Allows you to specify the depth in a packet to search for the given pattern. The depth is not relative. For example, you can specify a value for depth as 100.

Variable

Enter the depth variable name.

Value

Set the depth value to be used.

Range: 1 through 65535

Offset

Allows you to specify where to start searching for a pattern within a packet. Offset is not relative. For example, you can specify a value for depth as 100.

Variable

Enter the offset variable name.

Value

Set the offset value to be used.

Range: 1 through 65535

Is data at

Enable this option to allow you to verify that the payload has data at a specified location.

Negate

Enable this option to negate the result of Is data at.

Relate

Enable this option to use an offset relative to last pattern match.

Offset

Allows you to specify where to start searching for a pattern within a packet. Offset is not relative. For example, you can specify a value for depth as 100.

Variable

Enter the offset variable name.

Value

Set the offset value to be used.

Range: 1 through 65535

Table 3: Fields on the Attack Type—Anomaly
Field Action

Attack type

Anomaly—Protocol anomaly attack objects detect abnormal or ambiguous messages within a connection using the protocol's set of rules.

Service

Select a service from the list. Service is a protocol whose anomaly is defined in the attack. Example: IP, TCP, and ICMP.

Test anomaly

Select a protocol anomaly test condition from the list to be checked.

Direction

Select a traffic direction from the list for which the attack is detected:

  • Any Direction—Detects the attack in either direction.

  • Client to Server—Detects the attack only in client-to-server traffic.

  • Server to Client—Detects the attack only in server-to-client traffic.

Table 4: Fields on the Attack Type—Chain
Field Action

Attack type

Chain—Chain attack object combines multiple signatures and/or protocol anomalies into a single object. Traffic must match all of the combined signatures and/or protocol anomalies to match the chain attack object.

Protocol binding

Select a protocol from the list that the attack uses to enter your network.

Application

Select an application under which the attack must match.

Note:

This option is available only when protocol binding type is Application.

Protocol Number

Set the transport layer protocol number which allows IPS to match the attack to it.

Range: 0 through 139

Note:

This option is available only when protocol binding type is IP and IPv6.

Program Number

Set the remote procedure call (RPC) program number which allows to match the attack to it.

Note:

This option is available only when protocol binding type is RCP.

Minimum Port

Set the minimum port in the port range.

Range: 0 through 65,535

Note:

This option is available only when protocol binding type is TCP.

Maximum Port

Set the maximum port in the port range.

Range: 0 through 65,535

Note:

This option is available only when protocol binding type is TCP.

Chain order expressions

Select a Boolean expression that defines the condition for the individual members of a chain attack that will decide if the chain attack is hit:

  • AND—If both of the member name patterns match, the expression matches. The order of the members does not matter.

  • OR—If either of the member name patterns match, the expression matches.

  • OAND—If both of the member name patterns match, and if they appear in the same order as in the Boolean Expression, the expression matches.

Customized ordering

Enable this option to create a compound attack object that must match each member signature or protocol anomaly in the order you specify. If you do not specify an ordered match, the compound attack object still must match all members, but the attacks or protocol anomalies can appear in random order.

Reset

Enable this option if the compound attack should be matched more than once within a single session or transaction.

Scope

Select one of the following scopes:

  • session—Allows multiple matches for the object within the same session.

  • transaction—Matches the object across multiple transactions that occur within the same session.

Add signatures

Edit (pencil icon)

Select an existing signature that you want to edit. Click the edit (pencil) icon, make the required changes, and click OK.

Delete (trash can icon)

Select an existing signature that you want to delete. Click the delete (trash can) icon and click Yes.

+

Click + to add one or more signature attack objects that use a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks.

Signature No

Displays the system-generated signature number. You cannot modify this field.

Context

Select the attack context from the list which defines the location of the signature where IPS should look for the attack in a specific Application Layer protocol.

Direction

Select a traffic direction from the list for which the attack is detected:

  • Any Direction—Detects the attack in either direction.

  • Client to Server—Detects the attack only in client-to-server traffic.

  • Server to Client—Detects the attack only in server-to-client traffic.

Content

DFA pattern

Enter the signature pattern in deterministic finite automation (DFA) format.

Example syntax: \[hello\], pattern is hello and it is case insensitive.

Example matches for the syntax are hElLo, HEllO, and heLLO.

PCRE pattern

Enter the signature pattern in standard Perl Compatible Regular Expression (PCRE) format.

Example syntax: Sea[ln], pattern is Seal and it is Unicode insensitive.

Example matches to the syntax Seal, Seam, and Sean

Depth

Allows you to specify the depth in a packet to search for the given pattern. The depth is not relative. For example, you can specify a value for depth as 100.

Variable

Enter the depth variable name.

Value

Set the depth value to be used.

Range: 1 through 65535

Distance

Allows you to specify how much of the packet data should the IPS engine ignore before it begins searching for the specified pattern relative to the end of the previous pattern match.

Variable

Enter the distance variable name.

Value

Set the match value to be used. This is always relative to previous match.

Offset

Allows you to specify where to start searching for a pattern within a packet. Offset is not relative. For example, you can specify a value for depth as 100.

Variable

Enter the offset variable name.

Value

Set the offset value to be used.

Range: 1 through 65535

Is data at

Enable this option to allow you to verify that the payload has data at a specified location.

Negate

Enable this option to negate the result of Is data at.

Relate

Enable this option to use an offset relative to last pattern match.

Offset

Allows you to specify where to start searching for a pattern within a packet. Offset is not relative. For example, you can specify a value for depth as 100.

Variable

Enter the offset variable name.

Value

Set the offset value to be used.

Range: 1 through 65535

Within

Allows you to specify that there are maximum N bytes between pattern matches.

Variable

Enter the match variable name.

Value

Set the match value to be used. This is always relative to previous match.

Add anomaly

Edit (pencil icon)

Select an existing anomaly that you want to edit. Click the edit (pencil) icon, make the required changes, and click OK.

Delete (trash can icon)

Select an existing anomaly that you want to delete. Click the delete (trash can) icon and click Yes.

+

Click + to add one or more protocol anomaly attack objects to detect abnormal or ambiguous messages within a connection according to the set of rules for the particular protocol being used.

Anomaly No

Displays the system-generated anomaly number. You cannot modify this field.

Test Anomaly

Select a protocol anomaly test condition to be checked.

Direction

Select a traffic direction from the list for which the attack is detected:

  • Any Direction—Detects the attack in either direction.

  • Client to Server—Detects the attack only in client-to-server traffic.

  • Server to Client—Detects the attack only in server-to-client traffic.