Configuring IDPS Signatures

At the libraries ips-signature level it is possible to create and configure user IDPS signatures.

To create a custom IDPS signature, use the following command:

Admin@nodename# create libraries ips-signature <parameters>

Provide the following parameters:

Parameter

Description

name

Name of the IDPS signature.

Cannot be modified for signatures created by UserGate.

description

Description of the IDPS signature.

Cannot be modified for signatures created by UserGate.

signature-id

Signature group ID.

Cannot be modified for signatures created by UserGate.

enabled

Signature state indicator.

  • on: enable

  • off: disable

threat

Threat level defined by the signature. The following values are defined:

  • very-low

  • low

  • medium

  • high

  • very-high

Cannot be modified for signatures created by UserGate.

action

Responsive action to signature triggering. The following values are defined:

  • none: action is not defined

  • pass: skip the packet

  • drop: drop the packet

  • rst: drop the packet and close TCP connection (sending TCP reset)

  • block: block source and/or destination IP address

log

Logging:

  • on: enable logging

  • off: disable logging.

os

Operating system type for which the signature is defined:

  • windows

  • linux

  • bsd

  • macos

  • solaris

  • cisco

  • ios

  • android

  • other

Cannot be modified for signatures created by UserGate.

pcap

Tracking signature triggering and logging it to PCAP file.

  • on: enable

  • off: disable

track-by

Applying block or rst actions in response to signature triggering:

  • src: the block or rst actions are applied to the source IP address of the packet.

  • dst: the block or rst actions are applied to the destination IP address of the packet.

  • both: the block or rst action is applied to both the source and destination IP addresses of the packet.

duration

Blocking duration for block action.

uasl

Description of the signature using the UASL syntax.

Cannot be modified for signatures created by UserGate.

cve

Vulnerability ID according to CVE registry.

bdu

Vulnerability ID according to BDU registry.

url

Optional link to a resource with the description of the vulnerability.

category

A signature category is a group of signatures that have common parameters. The list of categories (can be extended):

  • adware pup

  • attack_response --- signatures that specify responses to known network attacks.

  • coinminer --- downloading, installation, and runtime activity of known miners.

  • dns: known DNS vulnerabilities

  • dos: known signatures of denial-of-service (DoS) attacks

  • exploit --- known exploit signatures.

  • ftp --- known FTP vulnerabilities.

  • imap --- known IMAP vulnerabilities.

  • info --- potential data leak.

  • ldap --- known LDAP vulnerabilities.

  • malware --- downloading, installation, and runtime activity of known malware.

  • misc --- other known signatures.

  • netbios --- known NetBIOS protocol vulnerabilities.

  • phishing --- known phishing attack signatures.

  • pop3 --- known POP3 protocol vulnerabilities.

  • rpc --- known RPC protocol vulnerabilities.

  • scada --- known SCADA protocol vulnerabilities.

  • scan --- signatures of attempts to scan the network for known applications.

  • shellcode --- signatures specifying known attempts at launching shells.

  • smtp --- known SMTP protocol vulnerabilities.

  • snmp --- known SNMP protocol vulnerabilities.

  • sql --- known SQL vulnerabilities.

  • telnet --- known attempts at cracking via the telnet protocol.

  • tftp --- known TFTP protocol vulnerabilities.

  • user_agents --- signatures of suspicious Useragents.

  • voip --- known VoIP protocol vulnerabilities.

  • web_client --- signatures of known attempts at cracking various web clients, such as Adobe Flash Player.

  • web_server --- signatures specifying known attempts at cracking various web servers.

  • web_specific_apps --- signatures specifying known attempts at cracking various web applications.

  • worm --- signatures specifying the network activity of known network worms.

Cannot be modified for signatures created by UserGate.

classtype

The signature class determines the attack type that is detected using this signature. In addition, it determines the general events that are not related o the attack but can be relevant in certain cases; e.g., detecting the establishment of a TCP session. The class list (can be extended):

  • arbitrary-code-execution --- attempt to run arbitrary code.

  • attempted-admin --- attempt to obtain administrative privileges.

  • attempted-dos --- attempt to launch a Denial-of-Service (DoS) attack.

  • attempted-recon --- attempt to launch an attack aimed at leaking data.

  • attempted-user --- attempt to obtain user privileges.

  • bad-unknown --- potentially unwanted traffic.

  • command-and-control --- attempt to communicate to C&C center.

  • default-login-attempt --- attempt to log in with the default username/password.

  • denial-of-service: Denial-of-Service attack detected

  • exploit-kit --- exploit kit detected.

  • misc-activity --- other activity.

  • misc-attack: attack detected

  • shellcode-detect --- shell code detected.

  • string-detect --- suspicious string detected.

  • suspicious-login --- attempt to log in using suspicious user name.

  • trojan-activity --- network trojan detected.

  • web-application-attack: web application attack detected.

Cannot be modified for signatures created by UserGate.

To edit a previously created IDPS signature, use the following command:

Admin@nodename# set libraries ips-signature <ips-signature-name> <parameters>

Parameters which could be updated are the same parameters which are available when creating a signature.

To view information on all IDPS signatures, use the following command:

Admin@nodename# show libraries ips-signature

To view information on a specific signature, use the following command:

Admin@nodename# show libraries ips-signature <ips-signature-name>

Example of creating an IDPS signature:

Admin@nodename# create libraries ips-signature name "Test signature" action none threat low description "Test signature description" log on pcap on url example.org uasl "UASL(.name=\"EXAMPLE\";)" enabled off Admin@nodename# show libraries ips-signature "Test signature" signature-id : 5 name : Test signature enabled : off description : Test signature description threat : low action : none log : on pcap : on track-by : src duration : 0 days 0 hours 5 minutes uasl : UASL(.name="EXAMPLE";) url : example.org owner : You type : custom

To remove a previously created IDPS signature, use the following command:

Admin@nodename# delete libraries ips-signature <ips-signature-name>