Custom Signature Regex

Similar Messages

• WLC IPS custom signature file

  Hi,
  Where can I download the WLC IPS custom signature file? Is WLC support openLdap for user web or 802.1x authentication?
  Best Regards,
  Jackson Ku

  The documentation for 5.1 is located at:
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a008055de07.html
  I believe the regex you want is:
  [Mm][Aa][Ii][Ll][\t][Ff][Rr][Oo][Mm][:][\x21-\x7E]+[@][Ss][Ee][Xx].[Cc][Oo][Mm]
  The + field allows for any printable characters (but there must be at least 1) in the senders email address. You should use the SMTP state machine with the SMTP Commands state set, direction to service port 25.

• IDS 4215 http custom signature

  Hello,
  I am trying to build a custom signature that is matching http header or body that contains certain regular expression. Any Ideas how to do that ? I tried Web Server signature but there I can only match HTTP header.

  Try this:
  1) Login to the sensor via IDM with an admin privileged account
  2) Select “Configuration -> Sensing Engine -> Signature Wizard”
  3) Select “Start the Wizard”
  4) Select the “Web Server Signature” option
  5) Set your SigID, Sig Name, Alert and User Notes as appropriate and click “Next”
  6) Adjust the service ports (if necessary) and click “Next”
  7) Given the intentions of your signature, leave the “Web Server Buffer Overflow Checks” fields empty and click “Next”
  8) Put your regex into the “HTTP Request Regular Expression” because it will match the text within the entire HTTP request. Click “Next”
  9) Set your alerting preferences (severity, etc.) and click “Next”
  10) Adjust your alerting behaviour if you want (Click “Advanced”), or accept the defaults by clicking “Next”
  11) Click on “Create” to generate the signature
  I hope this helps,
  Alex Arndt

• IPS custom signature to filter email domain

  Using IPS 5.0.
  I'm creating custom signature on SMTP using State Name: SMTP Commands.
  My question:
  1. On the Regex String, what should i key in to disable any users from the sex.com domain to send me email. I have keyin
  [Mm][Aa][Ii][Li][\t][Ff][Rr][Oo][Mm]:^.@[Ss][Ee][Xx].[Cc][Oo][Mm]
  but i don't think this is corrent...am i ??
  2. In the State Name(SMTP), they have
  Abort, Mail Body, Mail Header, SMTP Commands and Start. Can anyone provide the information (URL) and example of how to use these....
  Thanks in advance...

  The documentation for 5.1 is located at:
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a008055de07.html
  I believe the regex you want is:
  [Mm][Aa][Ii][Ll][\t][Ff][Rr][Oo][Mm][:][\x21-\x7E]+[@][Ss][Ee][Xx].[Cc][Oo][Mm]
  The + field allows for any printable characters (but there must be at least 1) in the senders email address. You should use the SMTP state machine with the SMTP Commands state set, direction to service port 25.

• Custom signature

  I have scanned my handwritten signature for use with emails. I have been able to add this to my Outlook emails in the my office on a PC but have not been able to figure out how to create a custom signature for my iphone & ipad.
  Rob

  step 1: send your handwritten signature from your PC to your iphone and ipad.
  step 2: on your iphone and ipad, hold the picture and select copy
  step 3: Go to Settings > Mail, contacts and Calendars > Signature and paste the picture
  Done

• Adding custom signature to Mail

  I know this has GOT to be easy, but I am totally stumped. I have several email accounts, and have signatures setup for each in preferences for each. My problem is that I just cannot figure out how to have my signature use any other font beside the default font. It is driving my nuts. I've even tried creating it how I want in Pages, and copying/dragging it into the signature, and it keeps changing the font to the default helvetica.
  Any ideas?

  In the Signature preferences be sure you have not checked the box to "Match the font ...." Also, be sure you have configured Mail to use Rich Tesxt rather than plain text. This is done in Mail's Composing preferences.
  If you still have problems here are two possible solutions. One is to create your custom signature in an HTML editor. A simple editor that would work is Level4 - VersionTracker or MacUpdate. Then paste the resulting HTML code for your signature into the Signature preferences in Mail. The other would be to create your signature in Pages, for example, and output a PDF file. You can then insert the PDF file as your signature.

• Custom signature for TOR Application

  Hi,
  I want to create custom signature to produce alert whenever any machine lunches TOR application, i have searched and found that there already two signatures cretaed 5816/0 5816/1, i have enabled them and tested it did not fire.
  I have ips in promoscous mode monitoring all vlans, working normally. I dont have ssl interception @ any device, so once TOR is establish then i dont have visibilty over the traffic.
  i need help in creating usch signature, i have took wireshark capture of traffic and all i can see on application layer is proxy connect and proxy port (see attached)
  thanks for your help.                

  Hi nkumarsr,
  I have cretaed tcp string signature for ports 9001, 9090
  and also i have added it in builtin signature 5816/0 and 5816/1
  i have luanch TOR and it is not fired, i took capture on client PC and seached for tcp.port == 9001 and 9090, it is not showing.
  do u have any other ideas ?

• Customer Signature in customer Master w/o DMS?

  Hi.
  Can we upload Customer Signature in Customer master without DMS(Document Management Server) ?
  Reg,
  antaa21

  Hi,
  Use transaction code VPE1 to create the sale employee and attach this to the customer number.
  Regards

• Custom signature in CSM3.0 for IDSM2 with IPS5.1

  I am trying to add a custom signature in CSM3.0 for IDSM2 which is running IPS5.1 in cat6500.I am using custom
  wizard to create the custom signature ( say "sweep" ).Under sigature, IPS5.x, I could see the created custom signature but when the sigature triggers, IPS event viewer shows only the old ( built in - sweep )signature ID and not the customized one.
  Just to test the changes in effect,
  I tried to change the event level say "low" to "high" for one of the built in signature( sweep 2100) by editing the same.Display shows the changed level, but when the sigature triggers the IPS event viewer shows the level as "low" instead of "high".
  Also I tried with enabling the check box for the option " retire".
  How do I create and test the customized signature..I tried with both IDM and CSM3.0.Any suggestions...

  The custom headers and client IP and port headers are inserted in every HTTP request packet. Full session headers and decoded client certificate fields are inserted in the first HTTP request packets; only the session ID is inserted in subsequent HTTP requests that use the same session ID. The servers are expected to cache the session or client certificate headers based on the session ID and use the session ID in subsequent requests to get the session and client certificate headers.

• Custom signature to detect malicious JavaScript

  Using "US-CERT Critical Infrastructure Information Notice CIIN-08-005-01 January 05, 2008" as the reference. I'd like to create a custom signature that looks for the string "0.js"
  The effort is to determine if my webservers have been or will be impacted as we allow SQL querries and injection, but the servers are patched.
  Thanks

  You can find information on using the custom signature wizard here: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a0080618a2a.html
  -- Shiva

• Signature Feilds not taking info (In custom signature)

  When creating a custom signature
  - there are feilds that will not let you enter info-
  then you may not submit your signature- because feilds are missing.
  1. Is Nickname
  2. Email address
  I was under Business signature
  Thank you

  My "problem" seems to have solved itself. Very strange. What I did at my first attempt was to clone several custom signatures from a single custom rule in the IDSM. First rule worked in MARS but not the the others, only difference was that the later rules were created as subsignatures and imported into MARS as such. When that didn't work I tried to created the IDS rules as separate rules instead of subsignatures and reimport them into MARS, no luck there either.
  I removed my custom signatures from the IDSM and left everything for the weekend. When I returned this Monday and reentered the signatures into the IDSM and tried them out MARS managed to parse them correctly, even put them into the correct event group.
  I've no idea what I've done differently but it's all working fine now
  /Fredrik

• Using IPS 6.3 customized signatures in CS MARS

  A client has a Cisco IPS 6.3 module installed in a Catalyst 6500, *with fully customized signatures* which generate thousands of alerts clearly visible in its IPS Event Viewer.
  MARS is pulling info from that IPS, but the customized signatures do not appear in any Incident. Is it possible for MARS to pull all those customized signatures??
  Thanks in advance

  The first step is to get MARS to parse the event. The next step is to create the necessary inspection rules.
  You can start here:
  http://ciscomars.blogspot.com/2008/03/custom-ips-signatures-with-cisco-mars.html

• S492 : Bad Custom Signature ID ... [5577]

  Hi,
  I've implemented signature update S492, but apparently there is a problem with the new signature 5577.1 : SMB Secure NULL Login Attempt . During the upgrade process run from our CSM V3.3.1, the deployment manager returns an error :
  instance=sig0:unspecifiedError:Bad Custom Signature ID ... [5577].  Can not create a custom signature with sig-id < 60000
  When I verifie on the sensors themselves, this new signature is nowhere to be found.
  Best regards.

  Signature# 5577 is a new signature from s492 signature update:
  http://www.cisco.com/web/software/282549755/34252/IPS-sig-S492.readme.txt
  Do you happen to have a custom signature with sig# 5577 by any chance?
  If you don't, then you might want to open a TAC case as it might be a new bug.

• Custom signature- SigName

  I have created a custom signature with idsmc 2.01 and during the creation it asked for a name. I entered the name that I wanted to use for the signature but when I received an event for the signature in SecMon, the name that appeared was the default name which is equivalent to the signature engine
  SigName: STRING.TCP <defaulted>
  Can some one tell me where you update the name filed on idsmc signature configuration?

  I have rebooted the sensor as you indicated but the SigName on the custom signature that I created remain the same. (STRING.TCP)
  These are the steps that I followed to create the signature where as follows
  1. I used the management centre for ids sensors version 2.01
  2. I selected the group to which the sensor belongs
  3. I select signature/ IDS 4.x
  4. Under the selection for Select group, you have two choices built-in/custom
  5. I chose custom and then add
  6. I selected the engine string.tcp and gave the signature a name along with its selected reg-expression and other parameters.
  7. I the used the quick deploy on IDSMC to send the custom signature the group of sensors
  The signature was deployed with all of the correct values and settings but the SigName was not changed from its default.

• Digital Signatures / Custom Signature Logo

  Good morning -
  I'm getting quickly acclimated to the concept of digital signatures as my employer is stiving towards a paperless office.  I have several questions that have come up, but I'll start with (hopefully) an easy one:
  When a digital signature appearance is beign created, one option is "Logo", which will place the Adobe "A" behind the signature image and timestamp information.  Is it possible to put a custom logo behind there - such as my company's emblem?
  Many thanks,
  Warren

  Hi Warren,
  The answer is yes, you can replace the PDF trefoil (it's not the Adobe A) with your own logo as the background. Open the image file in Acrobat and it will get converted to a PDF file. Don't worry about cropping the image. For this you do need Acrobat as the free Adobe Reader cannot convert images to PDF. The next thing is to save the file with a specific name and to a specific location.
  The file name you are going to use is SignatureLogo.pdf and please note there is no space in the file name. You need to save the file in the following location:
  Windows XP: C:\Documents and Settings\<user>\Application Data\Adobe\Acrobat\<version>\Security
  Vista or Win 7: C:\Users\<user>\AppData\Roaming\Adobe\Acrobat\<version>\Security
  Macintosh: \Users\<user name>\Library\Application  Support\Adobe\Acrobat\<version>\Security
  I'm sure you've figured out that <user> is going to correspond to the name of the logged in user and <version> is the current major version of Acrobat or Reader. Although Acrobat and Reader get installed into different locations, and even use separate registry entries, they do share the users application data directory.
  Steve