search cancel

Creating custom IPS signatures

book

Article ID: 151315

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How do I create custom IPS signatures?

Resolution

To create custom IPS signatures, you must complete the following steps:
      1. Create a custom IPS library.
      2. Add a signature.
      3. Assign the custom IPS library to a group.

    1. To create a custom IPS library
        1. In the console, click Policies
        2. Click Intrusion Prevention.
        3. Under Tasks, click Add Custom Intrusion Prevention Signatures
          • Configuring intrusion prevention 499
          • Creating custom IPS signatures
        4. In the Custom Intrusion Prevention Signatures dialog box, type a name and optional description for the library.
          Note: The NetBIOS Group is a sample signature group with one sample signature. You can edit the existing group or add a new group.
        5. To add a new group, Click Signatures under the Signature Groups list
        6. Click Add.
        7. In the Intrusion Prevention Signature Group dialog box, type a group name and optional description, and then click OK.
        Note: The group is enabled by default. If the signature group is enabled, all signatures within the group are enabled automatically. To retain the group for reference but to disable it, uncheck Enable this group.

    2. Add a custom signature
      1. Add the custom IPS library created in the above steps.
      2. Click Signatures under this Group
      3. Click Add.
      4. In the Add Signature dialog box, type a name and optional description for the signature.
      5. In the Severity drop-down list, select a severity level.
        Events that match the signature conditions are logged with this severity.
      6. In the Direction drop-down list, specify the traffic direction that you want the signature to check.
      7. In the Content field, type the syntax of the signature.
        Note: For more information on the syntax, click Help.
      8. If you want an application to trigger the signature, click Add.
      9. In the Add Application dialog box, type the file name and an optional description for the application.
        For example, to add the application Microsoft Internet Explorer, type the file name as iexplore or iexplore.exe. If you do not specify a file name, any application can trigger the signature.
      10. Click OK.
        Note: The added application is enabled by default. If you want to disable the application until a later time, uncheck the Enabled check box.
        • Configuring intrusion prevention
        • Creating custom IPS signatures
        • 500
      11. In the Action group box, select the action you want the client to take when the signature detects the event:
        1. Block identifies and blocks the event or attack and records it in the Security Log.
        2. Allow identifies and allows the event or attack and records it in the Security Log.
        3. Write to Packet Log records the event or attack in the Packets Log.
      12. Click OK.
        The added signature is enabled by default. If you want to disable the signature until a later time, uncheck the Enabled check box.
      13. To add additional signatures to the signature group, repeat the above steps.
      14. To edit or delete a signature, select the signature and click Edit or Delete.
      15. If you are finished with the configuration of this library, click OK.
      16. If you are prompted to assign the custom IPS signatures to a group, click Yes.

        To assign the policy:
        1. In the Assign Intrusion Prevention Policy dialog box, select the groups to which you want to assign the policy.
        2. Click Assign
        3. Click Yes.

    3. Assigning multiple custom IPS libraries to a group
      1. After you create a custom IPS library
      2. Assign it to a group rather than an individual location.
      3. You can later assign additional custom IPS libraries to the group.




Technical Information
You can write your own signatures to identify a specific intrusion and reduce the possibility of signatures that cause a false positive. The more information you can add to a custom signature, the more effective the signature is. When you create a custom library, you can organize signatures into signature groups to manage them more easily. You must add at least one signature group to a custom signature library before you add the signatures to the signature group. You can copy and paste signatures between groups and between libraries

.
Warning: You must be familiar with the TCP, UDP, or ICMP protocols before you develop intrusion prevention signatures. An incorrectly formed signature can
corrupt the custom IPS library and damage the integrity of the clients
.