Cisco IPS sensor in current version of 7.something has over five thousand sigs, out of which more than one thousand are enabled. However, there will be times when we have to create a custom signature to fit our needs.
Let’s imagine the following scenario: we have a FTP server that our users are using to transfer files to and from. Yes, if we are talking security we should not be talking FTP at all, but it will do for illustration purposes. Anyhow, we don’t want users to take a file called “CONFIDENTIAL.TXT” because it contains some data used internally by some server process and should not be available to users. Of course one could say this can be solved by file permissions but like I said this is for illustration purposes only.
I guess that the most difficult things in creating a custom sigs are choosing the right IPS engine and writing a custom regex expression. More about engines and regex later on. For now let’s go ahead with the fact that we are going to use STRING TCP engine and a custom regex to match the required file name.
Let’s begin with selecting a virtual sensor in which we want to create a custom sig. In our case the virtual sensor is “vlan4”. So let’s select “vlan4” under “Signature Definitions”, select “All Signatures” and click the “Add” button:
Now the “Custom Signature Wizard” pops up. Below are descriptions of most interesting fields. Some of them we change and some are good as they are. After filling them in, click OK and then apply.
In the picture above only the interesting fields are marked and they are explained in more details:
- Signature ID: every signature has an ID associated with it. For example, ICMP echo signature has an ID of 2004. Custom signatures receive IDs from 60000. Because this is the fourth custom sig in our sensor, it received an ID 60003.
- SubSignature ID: The easiest way of explaining this is an example: we could have a sig 60003/0 for matching the CONFIDENTIAL.TXT (upper case) and 60003/1 for confidential.txt (lower case). Please note the SubSig IDs. We could also have 60003/0 for both versions of a file name. This is what we are using in our case.
- Signature Name: this is a name that we give to our custom sigs. This can be anything we like in the form of text.
- Alert Notes: additional text that appears in the log when the sig gets triggered.
- Engine: this is very important. There are several engines in Cisco IPS and they represent a way of differentiating signatures and parameters associated with them. Different engine require different parameters and way of configuring them. We are using “String TCP” because our FTP connection is a “TCP string”.
- Event Action: what we are going to do if a sig gets fired. We are now just using a “Produce Alert” but we can specify other actions as well, depending on a way the IPS is set up in our network. We could block an attacker for instance.
- Regex String: here we specify what we want to match. In the case of our sig this is a file name. We could say here “confidential.txt” but then we wouldn’t catch a “CONFIDENTIAL.TXT”. We could have different subsigs like described above, but we are going to use the regex:
This requires a little bit of explanation. The dot sign (.) means any caracter. The star (*) means previous caracter repeated zero or more times. The [Cc] means that we want to match either upper case or lower case “c”. The “\.” means a dot sign literally. Finally we have a “.*” again.
So IPS could read this as: “I don’t care what is in front of a file name, if anything, but a file name must be confidential.txt in any shape or form regarding a letter case, and I also don’t care if anything is after a file name.”
- Service Ports: this is ordinary TCP port. For FTP this is port 21.
- Direction: represents a traffic flow direction. In our case “To Service” means that the TCP port is a destination port. “From Service” means that the TCP port is a source port.
Now we can test our signature. We connect to FTP server, log in as some user and try to retrieve a file:
And now we can see that the sig has triggered:
evIdsAlert: eventId=1286828171032209287 severity=medium vendor=Cisco
time: 2012/04/26 13:55:16 2012/04/26 15:55:16 GMT+01:00
signature: description=Prevent users for retreiving a confidential file id=60003 created=20000101 type=other version=custom
sigDetails: This is listed in an alert
addr: locality=VLAN10 a.b.c.d
addr: locality=OUT x.y.z.w
os: idSource=learned relevance=relevant type=linux
That’s all for now. We will continue with our IPS exploration soon enough.