Endpoint Protection

 View Only

  • 1.  Custom IPS Signature

    Posted Mar 21, 2013 11:55 AM

    I'd like to create a custom IPS Signature that permit to know wich process tries to open a connection to an IP on one port.

    Is it possible to do this with custom IPS Signature?

    Which is the syntax to use?

     

     

    Thanks!



  • 2.  RE: Custom IPS Signature

    Trusted Advisor
    Posted Mar 21, 2013 12:01 PM

    Hello,

    I don't think that is possible with custom IPS Signature.

    The IPS signatures are packet-based.

    Unlike Symantec signatures, custom signatures scan single packet payloads only. However, custom signatures can detect attacks in the TCP/IP stack earlier than the Symantec signatures.

    Packet-based signatures examine a single packet that matches a rule. The rule is based on various criteria, such as port, protocol, source or destination IP address, TCP flag number, or an application. For example, a custom signature can monitor the packets of information that are received for the string "phf" in GET / cgi-bin/phf? as an indicator of a CGI program attack. Each packet is evaluated for that specific pattern. If the packet of traffic matches the rule, the client allows or blocks the packet.

    You can specify whether or not Symantec Endpoint Protection logs a detection from custom signatures in the Packet log.

    Check these Articles:

    About custom IPS signatures

    http://www.symantec.com/docs/HOWTO80930

    Creating custom IPS signatures

    http://www.symantec.com/docs/HOWTO27083

    Managing custom intrusion prevention signatures

    http://www.symantec.com/docs/HOWTO55161

    Defining variables for custom IPS signatures

    http://www.symantec.com/docs/HOWTO55453

    Changing the order of custom IPS signatures

    http://www.symantec.com/docs/HOWTO55464

    Testing custom IPS signatures

    http://www.symantec.com/docs/HOWTO55177

    Adding signatures to a custom IPS library

    http://www.symantec.com/docs/HOWTO55170

    Hope that helps!!



  • 3.  RE: Custom IPS Signature

    Posted Mar 21, 2013 12:01 PM
      |   view attached

    You would be able to monitor the port it tries to open but I don't believe you can get the process to show. IPS watches network traffic (packets) so I think this is beyond the scope. You should be able to get port usage though.

    All Custom IPS syntax is in the Install and Admin guide starting on page 1121 Appendix E

    It is the best resource you will likely find. It is very detailed. I've atached it



  • 4.  RE: Custom IPS Signature

    Posted Mar 21, 2013 12:23 PM

    Maybe it's the firewall the component that could help me find this kind of info...



  • 5.  RE: Custom IPS Signature
    Best Answer

    Posted Mar 21, 2013 12:26 PM

    Absolutely.

    If you know the exact app/port, you could create a rule to log its traffic.

    If you don't, you could create a Log all Apps rule and filter out what you're looking for.



  • 6.  RE: Custom IPS Signature

    Posted Mar 25, 2013 10:00 AM

    Mission accomplished!

    Firewall component helped me to find what I was looking for.

     

    Thanks!