Create a Custom IPS Signature

You are here: Security Services > IPS > Signatures.

Create custom attack objects to detect a known or unknown attack for protecting your network.

To create a custom IPS signature:

Click the CUSTOM tab.
Click Create > Custom on the upper-right corner of the Custom Signatures page.
The Create Custom Attack page appears.
Complete the configuration according to the guidelines provided from Table 1 to Table 4.
Click OK to save the changes. If you want to discard your changes, click Cancel.

You are returned to the Custom Signatures page and displays the custom signatures that you successfully created.

Table 1: Fields on the IPS Signatures Page—Create Custom
Field	Action
General
Name	Enter the name of the custom attack object. 250-character maximum.
Description	Enter a description for the custom attack object.
Recommended action	Select an action from the list to perform when the device detects an attack: None—No action is taken. Use this action to only generate logs for some traffic. Close—Reset the client and the server. Close client—Closes the connection and sends an RST packet to the client but not to the server. Close server—Closes the connection and sends an RST packet to the server but not to the client. Drop—Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing. Drop packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source-IP address. Ignore—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.
Severity	Select a severity from the list that matches the attack object severity on your network: Critical—Contains attack objects matching exploits that attempt to evade detection, cause a network device to crash, or gain system-level privileges. Info—Contains attack objects that matches the following parameters: Normal and harmless traffic containing URLs DNS lookup failures SNMP public community strings Peer-to-Peer (P2P) Major—Contains attack objects that matches the exploits that attempt to: Disrupt a service. Gain user-level access to a network device. Activate a Trojan horse previously loaded on a device. Minor—Contains attack objects that matches the exploits that detect reconnaissance efforts attempting to access vital informational through directory traversal or information leaks. Warning—Contains attack objects that matches the exploits that attempt to obtain noncritical information or scan a network with a scanning tool.
Detection Filter
Time count	Set the number of times that the attack object must detect an attack within the specified scope. The detection occurs before the device determines if or not the attack object matches the attack. Range: 0 through 4,294,967,295
Time scope	Select the scope from the list within which the count occurs: None—No action is taken. Use this option when you only want to generate logs for some traffic. Destination—Detects the signature in traffic from the destination IP address for the specified number of times, regardless of the source IP address. Session—Detects the signature in traffic between source and destination IP addresses of the sessions for the specified number of times. Source—Detects the signature in traffic from the source IP address for the specified number of times, regardless of the destination IP address.
Time interval	Enter the maximum time interval between any two instances of a time-binding custom attack. Supported format is MMm-SSs. Range: 0 minutes and 0 seconds to 60 minutes and 0 seconds.
Signature
Attack type	Select one of the following attack type from the list: Signature—IPS uses stateful signatures to detect attacks. Using stateful signatures, IPS look for the specific protocol or service that was used to carry out the attack. For fields description, see Table 2. Anomaly—Protocol anomaly attack objects detect abnormal or ambiguous messages within a connection using the protocol's set of rules. For fields description, see Table 3. Chain—Chain attack object combines multiple signatures and/or protocol anomalies into a single object. Traffic must match all of the combined signatures and/or protocol anomalies to match the chain attack object. For fields description, see Table 4.

Table 2: Fields on the Attack Type—Signature
Field	Action
Attack type	Signature—IPS uses stateful signatures to detect attacks. Using stateful signatures, IPS look for the specific protocol or service that was used to carry out the attack.
Context	Select an attack context from the list which defines the location of the signature where IPS should look for the attack in a specific Application Layer protocol.
Protocol binding	Select a protocol from the list that the attack uses to enter your network.
Application	Select an application from the list under which the attack must match. Note: This option is available only when protocol binding type is Application.
Protocol number	Set the transport layer protocol number which allows IPS to match the attack to it. Range: 0 through 139 Note: This option is available only when protocol binding type is IP and IPv6.
Program number	Set the remote procedure call (RPC) program number which allows to match the attack to it. Note: This option is available only when protocol binding type is RPC.
Minimum port	Set the minimum port in the port range. Range: 0 through 65,535 Note: This option is available only when protocol binding type is TCP.
Maximum port	Set the maximum port in the port range. Range: 0 through 65,535 Note: This option is available only when protocol binding type is TCP.
Direction	Select the traffic direction from the list for which the attack is detected: Client to Server—Detects the attack only in client-to-server traffic. Server to Client—Detects the attack only in server-to-client traffic. Any Direction—Detects the attack in either direction.
Content
DFA pattern	Enter the signature pattern in deterministic finite automation (DFA) format. For example: When you use the syntax: `\[hello\]`, pattern is hello and it is case insensitive. Example matches for the syntax are hElLo, HEllO, and heLLO.
PCRE pattern	Enter the signature pattern in standard Perl Compatible Regular Expression (PCRE) format. Example syntax: `Sea[ln]`, pattern is Seal and it is case insensitive. Example matches for the syntax are Seal, Seam, and Sean
Depth	Allows you to specify the depth in a packet to search for the given pattern. The depth is not relative. For example, you can specify a value for depth as 100.
Variable	Enter the depth variable name.
Value	Set the depth value to be used. Range: 1 through 65535
Offset	Allows you to specify where to start searching for a pattern within a packet. Offset is not relative. For example, you can specify a value for depth as 100.
Variable	Enter the offset variable name.
Value	Set the offset value to be used. Range: 1 through 65535
Is data at	Enable this option to allow you to verify that the payload has data at a specified location.
Negate	Enable this option to negate the result of Is data at.
Relate	Enable this option to use an offset relative to last pattern match.
Offset	Allows you to specify where to start searching for a pattern within a packet. Offset is not relative. For example, you can specify a value for depth as 100.
Variable	Enter the offset variable name.
Value	Set the offset value to be used. Range: 1 through 65535

Table 3: Fields on the Attack Type—Anomaly
Field	Action
Attack type	Anomaly—Protocol anomaly attack objects detect abnormal or ambiguous messages within a connection using the protocol's set of rules.
Service	Select a service from the list. Service is a protocol whose anomaly is defined in the attack. Example: IP, TCP, and ICMP.
Test anomaly	Select a protocol anomaly test condition from the list to be checked.
Direction	Select a traffic direction from the list for which the attack is detected: Any Direction—Detects the attack in either direction. Client to Server—Detects the attack only in client-to-server traffic. Server to Client—Detects the attack only in server-to-client traffic.

Table 4: Fields on the Attack Type—Chain
Field	Action
Attack type	Chain—Chain attack object combines multiple signatures and/or protocol anomalies into a single object. Traffic must match all of the combined signatures and/or protocol anomalies to match the chain attack object.
Protocol binding	Select a protocol from the list that the attack uses to enter your network.
Application	Select an application under which the attack must match. Note: This option is available only when protocol binding type is Application.
Protocol Number	Set the transport layer protocol number which allows IPS to match the attack to it. Range: 0 through 139 Note: This option is available only when protocol binding type is IP and IPv6.
Program Number	Set the remote procedure call (RPC) program number which allows to match the attack to it. Note: This option is available only when protocol binding type is RCP.
Minimum Port	Set the minimum port in the port range. Range: 0 through 65,535 Note: This option is available only when protocol binding type is TCP.
Maximum Port	Set the maximum port in the port range. Range: 0 through 65,535 Note: This option is available only when protocol binding type is TCP.
Chain order expressions	Select a Boolean expression that defines the condition for the individual members of a chain attack that will decide if the chain attack is hit: AND—If both of the member name patterns match, the expression matches. The order of the members does not matter. OR—If either of the member name patterns match, the expression matches. OAND—If both of the member name patterns match, and if they appear in the same order as in the Boolean Expression, the expression matches.
Customized ordering	Enable this option to create a compound attack object that must match each member signature or protocol anomaly in the order you specify. If you do not specify an ordered match, the compound attack object still must match all members, but the attacks or protocol anomalies can appear in random order.
Reset	Enable this option if the compound attack should be matched more than once within a single session or transaction.
Scope	Select one of the following scopes: session—Allows multiple matches for the object within the same session. transaction—Matches the object across multiple transactions that occur within the same session.
Add signatures
Edit (pencil icon)	Select an existing signature that you want to edit. Click the edit (pencil) icon, make the required changes, and click OK.
Delete (trash can icon)	Select an existing signature that you want to delete. Click the delete (trash can) icon and click Yes.
+	Click + to add one or more signature attack objects that use a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks.
Signature No	Displays the system-generated signature number. You cannot modify this field.
Context	Select the attack context from the list which defines the location of the signature where IPS should look for the attack in a specific Application Layer protocol.
Direction	Select a traffic direction from the list for which the attack is detected: Any Direction—Detects the attack in either direction. Client to Server—Detects the attack only in client-to-server traffic. Server to Client—Detects the attack only in server-to-client traffic.
Content
DFA pattern	Enter the signature pattern in deterministic finite automation (DFA) format. Example syntax: `\[hello\]`, pattern is hello and it is case insensitive. Example matches for the syntax are hElLo, HEllO, and heLLO.
PCRE pattern	Enter the signature pattern in standard Perl Compatible Regular Expression (PCRE) format. Example syntax: `Sea[ln]`, pattern is Seal and it is Unicode insensitive. Example matches to the syntax Seal, Seam, and Sean
Depth	Allows you to specify the depth in a packet to search for the given pattern. The depth is not relative. For example, you can specify a value for depth as 100.
Variable	Enter the depth variable name.
Value	Set the depth value to be used. Range: 1 through 65535
Distance	Allows you to specify how much of the packet data should the IPS engine ignore before it begins searching for the specified pattern relative to the end of the previous pattern match.
Variable	Enter the distance variable name.
Value	Set the match value to be used. This is always relative to previous match.
Offset	Allows you to specify where to start searching for a pattern within a packet. Offset is not relative. For example, you can specify a value for depth as 100.
Variable	Enter the offset variable name.
Value	Set the offset value to be used. Range: 1 through 65535
Is data at	Enable this option to allow you to verify that the payload has data at a specified location.
Negate	Enable this option to negate the result of Is data at.
Relate	Enable this option to use an offset relative to last pattern match.
Offset	Allows you to specify where to start searching for a pattern within a packet. Offset is not relative. For example, you can specify a value for depth as 100.
Variable	Enter the offset variable name.
Value	Set the offset value to be used. Range: 1 through 65535
Within	Allows you to specify that there are maximum N bytes between pattern matches.
Variable	Enter the match variable name.
Value	Set the match value to be used. This is always relative to previous match.
Add anomaly
Edit (pencil icon)	Select an existing anomaly that you want to edit. Click the edit (pencil) icon, make the required changes, and click OK.
Delete (trash can icon)	Select an existing anomaly that you want to delete. Click the delete (trash can) icon and click Yes.
+	Click + to add one or more protocol anomaly attack objects to detect abnormal or ambiguous messages within a connection according to the set of rules for the particular protocol being used.
Anomaly No	Displays the system-generated anomaly number. You cannot modify this field.
Test Anomaly	Select a protocol anomaly test condition to be checked.
Direction	Select a traffic direction from the list for which the attack is detected: Any Direction—Detects the attack in either direction. Client to Server—Detects the attack only in client-to-server traffic. Server to Client—Detects the attack only in server-to-client traffic.

Create a Custom IPS Signature

Related Documentation