Home > Articles > Cisco Network Technology > General Networking > Building Cisco IDS 3.0(3) Custom Signatures

Building Cisco IDS 3.0(3) Custom Signatures

Contents

  1. Signature Engine Types
  2. Engine Parameters
  3. Creating Custom Signatures
  4. Summary

Article Description

When using a signature-based Intrusion Detection System (IDS), keeping signature definitions up to date is crucial to maintaining optimum protection of your network resources. Earl Carter discusses building Cisco IDS 3.0(3) custom signatures in this timely article.

Creating Custom Signatures

Creating your custom signatures varies, depending on your Director Platform. If you use the Unix Director, then you can use the standard nrConfigure tool to create your custom signatures. If you're using Cisco Secure Policy Manager (CSPM), however, you need to run a command line application called SigWizMenu. This program enables you to easily create custom signatures by taking you through a series of textual menus that enable you to specify the parameters needed for tuning existing signatures and creating new custom signatures.

Recently, another new worm spread across the Internet. This worm, W32.Goner.a@mm, was an email attachment that was written in Visual Basic. To create a custom signature to detect this worm, you first need to determine some unique characteristic of the worm. In this case, the attachment is named gone.scr. Next, we need to determine which ports this traffic is headed to (limiting the ports reduces the potential for false positives). Because this was a mail worm, it can potentially be seen going to port 25 (SMTP) or from ports 109 (POP2), 110 (POP3), 143 (IMAP2), and 220 (IMAP3). Therefore, this signature will actually become two separate signatures that handle the following two cases:

  • Look for worm going to port 25
  • Look for worm coming from ports 109,110,143, &220

To create a custom signature to check for the worm on the SMTP port, you need to define the following parameters:

  • AlarmThrottle—FireOnce
  • Direction—ToService
  • MinHits—1
  • RegexString—[Ff][Ii][Ll][Ee][Nn][Aa][Mm][Ee] [^\r\n]*[Gg][Oo][Nn][Ee][.][Ss][Cc][Rr]
  • ResetAfterIdle—15
  • ServicePorts—25
  • SigName—Goner.A Worm

Creating a custom signature to check for the worm on the POP and IMAP ports is very similar to the signature for SMTP, except that the ports change and the traffic is actually coming from the service ports. Therefore, you need to define the following parameters:

  • AlarmThrottle—FireOnce
  • Direction—FromService
  • MinHits—1
  • RegexString—[Ff][Ii][Ll][Ee][Nn][Aa][Mm][Ee] [^\r\n]*[Gg][Oo][Nn][Ee][.][Ss][Cc][Rr]
  • ResetAfterIdle—15
  • ServicePorts—109,110,143,220
  • SigName—Goner.A Worm