IDPS Signatures

IDPS signatures describe the characteristic features of network vulnerabilities. They are added to IDPS profiles and used in firewall rules for intrusion detection and network protection.

IDPS signatures are created by UserGate developers and added automatically to the system library when the correspondent license is present. You can create custom signatures and add them to the IDPS signature library.

For each signature, you can individually configure an action to take, logging, and saving to a PCAP file as well as enable/disable the signature. If you have modified the settings of a system IDPS signature created by UserGate, you can restore the defaults by going to Libraries ➜ IDPS signatures, selecting the signature in the list, and click Restore default.

To create a custom IDPS signature, go to Libraries ➜ IDPS signatures and click Add. After that, specify the signature properties and describe its characteristic features using the UASL syntax. Fill in the following fields:

Name

Description

Enabled

Signature on/off indicator.

Id

The ID of a signature group.

Name

The name of the signature.

Description

Signature description.

Threat level

Threat level defined by the signature. The following values are defined:

  • 1: very low

  • 2: low

  • 3: medium

  • 4: high

  • 5: very high

Class type

The signature class determines the attack type that is detected using this signature. In addition, it determines the general events that are not related o the attack but can be relevant in certain cases; e.g., detecting the establishment of a TCP session. The class list (can be extended):

  • arbitrary-code-execution: attempt to run arbitrary code

  • attempted-admin: attempt to obtain administrative privileges

  • attempted-dos: attempt to launch a Denial-of-Service (DoS) attack

  • attempted-recon: attempt to launch an attack aimed at leaking data

  • attempted-user: attempt to obtain user privileges

  • bad-unknown: potentially unwanted traffic

  • buffer overflow: attempt to launch a buffer-overflow attack

  • command-and-control: attempt to communicate with a C&C center

  • default-login-attempt: attempt to log in with the default username/password

  • denial-of-service: Denial-of-Service attack detected

  • exploit-kit: exploit kit detected

  • information disclosure: data leak

  • memory corruption: attempt to launch a memory corruption attack

  • misc-activity: other activity

  • misc-attack: attack detected

  • network-scan: network scanning

  • path traversal: attempt to launch an attack that works by traversing file paths on the server where the application is running

  • policy-violation: network policy violation

  • protocol-command-decode: unusual protocol command detected

  • shellcode-detect: shell code detected

  • string-detect: suspicious string detected

  • successful-recon-limited: information leak

  • suspicious-login: attempt to log in using a suspicious username

  • system-call-detect: attempt to invoke system calls

  • targeted-activity: targeted activity detected

  • trojan-activity: network Trojan detected

  • uncaught exception: exception not handled by the application.

Category

A signature category is a group of signatures that have common parameters. The list of categories (can be extended):

  • adware pup: unwanted adware

  • attack_response: signatures that specify responses to known network attacks

  • bruteforce: brute-force attack

  • coinminer: downloading, installation, and runtime activity of known miners

  • dns: known DNS vulnerabilities

  • dos: known signatures of denial-of-service (DoS) attacks

  • exploit: signatures of known exploits

  • ftp: known FTP vulnerabilities

  • icmp: known ICMP protocol vulnerabilities

  • imap: known IMAP vulnerabilities

  • info: potential data leaks

  • ldap: known LDAP vulnerabilities

  • malware: downloading, installation, and runtime activity of known malware

  • misc: other known signatures

  • netbios: known NetBIOS protocol vulnerabilities

  • p2p: peer-to-peer traffic detected

  • phishing: signatures of known phishing attacks

  • policy: cybersecurity policy violation

  • pop3: known POP3 protocol vulnerabilities

  • rpc: known RPC protocol vulnerabilities

  • scada: known SCADA protocol vulnerabilities

  • scan: signatures of attempts to scan the network for known applications

  • shellcode: signatures specifying known attempts at launching shells

  • sip: known SIP protocol vulnerabilities

  • smb: known SMB protocol vulnerabilities

  • smtp: known SMTP protocol vulnerabilities

  • snmp: known SNMP protocol vulnerabilities

  • sql: known SQL vulnerabilities

  • telnet: known attempts at cracking via the telnet protocol

  • tftp: known TFTP protocol vulnerabilities

  • user_agents: signatures of suspicious Useragents

  • voip: known VoIP protocol vulnerabilities

  • web_client: signatures of known attempts at cracking various web clients, such as Adobe Flash Player

  • web_server: signatures specifying known attempts at cracking various web servers

  • web_specific_apps: signatures specifying known attempts at cracking various web applications

  • worm: signatures specifying network activity of known network worms

Signature operating system

The operating system for which this signature is developed.

  • Windows

  • Linux

  • BSD

  • Mac OS

  • Solaris

  • Cisco

  • IOS

  • Android

  • Other

CVE

Vulnerability ID according to the CVE registry.

BDU

Vulnerability ID according to the BDU registry.

URL

Optional link to a resource with the description of the vulnerability.

UASL

Description of the signature's features using the UASL syntax.

General Settings

  • Action: the response to signature detection. The following values are defined:

    • None: no action defined

    • Pass: allow the packet

    • Drop: drop the packet

    • Reset: drop the packet and abort the TCP connection (send a TCP reset)

    • Block IP: block the source and/or destination IP address

  • Log:

    • Enable: enable event logging

    • Disable: disable event logging

  • PCAP file: trace the signature detection and write the results in a PCAP file

    • Enable: enable tracing

    • Disable: disable tracing

  • Apply to: what the Reset or Block IP actions should apply to. The available options are:

    • Source: the Reset or Block IP action is applied to the source IP address of the packet

    • Destination: the Reset or Block IP action is applied to the destination IP address of the packet

    • Both: the Reset or Block IP action is applied to both the source and destination IP addresses of the packet

  • Duration: the block duration for the Block IP action