At the libraries ips-signature level it is possible to create and configure user IDPS signatures.
To create a custom IDPS signature, use the following command:
Admin@nodename# create libraries ips-signature <parameters>
Provide the following parameters:
Parameter |
Description |
---|---|
name |
Name of the IDPS signature. Cannot be modified for signatures created by UserGate. |
description |
Description of the IDPS signature. Cannot be modified for signatures created by UserGate. |
signature-id |
Signature group ID. Cannot be modified for signatures created by UserGate. |
enabled |
Signature state indicator.
|
threat |
Threat level defined by the signature. The following values are defined:
Cannot be modified for signatures created by UserGate. |
action |
Responsive action to signature triggering. The following values are defined:
|
log |
Logging:
|
os |
Operating system type for which the signature is defined:
Cannot be modified for signatures created by UserGate. |
pcap |
Tracking signature triggering and logging it to PCAP file.
|
track-by |
Applying block or rst actions in response to signature triggering:
|
duration |
Blocking duration for block action. |
uasl |
Description of the signature using the UASL syntax. Cannot be modified for signatures created by UserGate. |
cve |
Vulnerability ID according to CVE registry. |
bdu |
Vulnerability ID according to BDU registry. |
url |
Optional link to a resource with the description of the vulnerability. |
category |
A signature category is a group of signatures that have common parameters. The list of categories (can be extended):
Cannot be modified for signatures created by UserGate. |
classtype |
The signature class determines the attack type that is detected using this signature. In addition, it determines the general events that are not related o the attack but can be relevant in certain cases; e.g., detecting the establishment of a TCP session. The class list (can be extended):
Cannot be modified for signatures created by UserGate. |
To edit a previously created IDPS signature, use the following command:
Admin@nodename# set libraries ips-signature <ips-signature-name> <parameters>
Parameters which could be updated are the same parameters which are available when creating a signature.
To view information on all IDPS signatures, use the following command:
Admin@nodename# show libraries ips-signature
To view information on a specific signature, use the following command:
Admin@nodename# show libraries ips-signature <ips-signature-name>
Example of creating an IDPS signature:
Admin@nodename# create libraries ips-signature name "Test signature" action none threat low description "Test signature description" log on pcap on url example.org uasl "UASL(.name=\"EXAMPLE\";)" enabled off Admin@nodename# show libraries ips-signature "Test signature" signature-id : 5 name : Test signature enabled : off description : Test signature description threat : low action : none log : on pcap : on track-by : src duration : 0 days 0 hours 5 minutes uasl : UASL(.name="EXAMPLE";) url : example.org owner : You type : custom
To remove a previously created IDPS signature, use the following command:
Admin@nodename# delete libraries ips-signature <ips-signature-name>