Custom IPS signatures

With custom signatures, you can protect your network from vulnerabilities related to network objects such as servers, protocols, and applications. You can create custom signatures and later add them to IPS policy rules.

IPS custom pattern syntax

Keyword

Value

Usage

srcaddr/dstaddr

<ipaddress>;

The source/destination IP address.

srcport/dstport

<Number>;

The source/destination port.

content

“<content string>;”

A string within double-quotes.

You can specify multiple contents in one rule. The value can contain mixed text and binary data. The binary data is normally enclosed within the pipe (|) character.

nocase

Can be used with content keyword only.

NULL

Ignore the case in the content value.

rawbytes

Can be used with content keyword only.

NULL

Ignore any decoding. Look at the raw packet data.

depth

Can be used with content keyword only.

<number>;

Example: depth:5;

Look for the contents within the specified number of bytes of the payload. If the depth keyword's value is smaller than the length of the value of the content keyword, this signature will never be matched.

offset

Can be used with content keyword only

<number>;

Example: content:cgi-bin/phf;offset:4;depth:20;

Start searching for the contents after the specified number of bytes of the payload. This tag is an absolute value in the payload. Follow the offset tag with the depth tag to stop searching for a match after the value specified by the depth tag. If there is no depth specified, continue looking for a match until the end of the payload.

distance

Can be used with content keyword only

<number>;

Example: content:"ABC"; content:"DEF"; distance:1;

Search the contents for the specified number of bytes relative to the end of the previously matched contents. The distance tag could be followed with the within tag. If there is no value specified for the within tag, keep searching for a match until the end of the payload.

within

Can be used with content keyword only

<number>;

Example: content: "ABC"; content: "DEF"; within:10;

Look for the contents within the specified number of bytes of the payload. Use with the distance tag.

uricontent

uricontent:<content string>;

Example: uricontent:"%3F";

Search for the normalized request URI field. Binary data can be defined as the URI value.

isdataat

<value> [,relative];

Example: content: "PASS"; isdataat: 50, relative;

Verify that the payload has data at a specified location. Optionally look for data relative to the end of the previous content match.

pcre

pcre:[!]

“(/<regex>/|m/<regex>/)[ismxAEGRUB]”;

Example: pcre:"/BLAH/i";

The pcre keyword allows you to write rules using Perl compatible regular expressions.

i: Case insensitive.

s: Include newlines in the dot metacharacter.

m: By default, the string is treated as one big line of characters (^ and $ match at the start and end of the string). When m is set, ^ and $ match at the start or end of any newline in the buffer, as well as the start and end of the buffer.

x: Whitespace data characters in the pattern are ignored except when escaped or inside a character class.

A: The pattern must match only at the start of the buffer (same as ^).

E: Set $ to match only at the end of the subject string. Without E, $ also matches immediately before the final character if it is a newline (but not before any other newlines).

G: Inverts the “greediness” of the quantifiers so that they are not greedy by default, but become greedy if followed by “?”

R: Match relative to the end of the last pattern match (similar to distance:0;).

U: Match the decoded URI buffers (similar to the uri keyword).

B: Do not use the decoded buffers (similar to the raw keyword).

byte_test

<bytes to convert>, [!]<operator>, <value>, <offset> [,relative] [,<endian>] [,<number type>, string]; oct,dec,hex used with string only

Example: msg:"AMD procedure 7 plog overflow"; content:"|00 04 93 F3|"; content:"|00 00 00 07|"; distance: 4.within:4; byte_test:4,>,1000,20,relative;

Test a byte field against a specific value (with operator). Capable of testing binary values or converting representative byte strings to their binary equivalent and testing them. bytes_to_convert: The number of bytes to pick up from the packet operator, the operation to perform to test the value (<,>,=,!,&).

value: The value to test the converted value against.

offset: The number of bytes into the payload to start processing.

relative: Use an offset relative to last pattern match.

big: Process the data as big.

endian (default) little: Process the data as little endian.

string: The data is stored in string format in the packet.

hex: The converted string data is represented in hexadecimal.

dec: The converted string data is represented in decimal.

oct: The converted string data is represented in octal.

byte_jump

<bytes_to_convert>, <offset> [,relative] [,multiplier <multiplier value>] [,big] [,little][,string] [,hex] [,dec] [,oct] [,align] [,from_beginning]; oct,dec,hex used with string only.

Example: content:"|00 00 00 01|"; distance: 4; within: 4; byte_jump: 4,12,relative,align

bytes_to_convert: The number of bytes to pick up from the packet. Multiplier value: multiply the number of calculated bytes by value and skip forward that number of bytes.

operator: The operation to perform to test the value (<,>,=,!,&).

value: The value to test the converted value against.

offset: The number of bytes into the payload to start processing.

relative: Use an offset relative to the last pattern match.

big: Process the data as big.

endian (default) little: Process the data as little endian.

string: The data is stored in string format in the packet.

hex: The converted string data is represented in hexadecimal.

dec: The converted string data is represented in decimal.

oct: The converted string data is represented in octal.

align: round the number of converted bytes up to the next 32-bit boundary.

from_beginning: Skip forward from the beginning of the packet payload instead of from the current position in the packet.

ttl

<number>;><number>;<<number>;

Check the IP time-to-live value against the specified value.

tos

<number>;

Check the IP TOS field for the specified value.

id

<number>;

Check the IP ID field for the specified value.

ipopts

{rr | eol | nop | ts | sec | lsrr |ssrr | satid | any}

rr: Check if the IP RR (record route) option is present.

eol: Check if the IP EOL (end of list) option is present.

nop: Check if the IP NOP (no op) option is present.

ts: Check if the IP TS (time stamp) option is present.

sec: Check if the IP SEC (IP security) option is present.

lsrr: Check if the IP LSRR (loose source routing) option is present.

ssrr: Check if the IP SSRR (strict source routing) option is present.

satid: Check if the IP SATID (stream identifier) option is present.

any: Check if the IP any option is present.

fragoffset

<number>;

Allows comparison of the IP fragment offset field against the decimal value.

fragbits

[+*!]<[MDR]>;

Check if IP fragmentation and reserved bits are set in the IP header.

M: The More Fragments bit

D: The “Don’t Fragment” bit.

R: The Reserved Bit.

+: Match on the specified bits, plus any others.

*: Match if any of the specified bits are set.

!: Match if the specified bits are not set.

dsize

[<|>] <number>[ <> number];

Example: dsize:300<>400;

Test the packet payload size. With data_size specified, packet reassembly is turned off automatically, so a signature with data_size and only_stream values set is wrong.

dsize will fail on stream rebuilt packets, regardless of the size of the payload.

flags

[!|*|+]<FSRPAU120>[,<FSRPAU120>];

Example: flags:SF,12

Specify the TCP flags to match in a packet.

S: Match the SYN flag.

A: Match the ACK flag.

F: Match the FIN flag.

R: Match the RST flag.

U: Match the URG flag.

P: Match the PSH flag.

1: Match the reserved bit.

1 2: Match the reserved bit

2 0: Match No TCP flags set

+: Match on the specified bits, plus any others.

*: Match if any of the specified bits are set.

!: Match if the specified bits are not set.

flow

to_client|to_server|from_client| from_server ]; established; bi_direction; [no_stream|only_stream];

TCP only. The to_server value is equal to the from_client value. The to_client value is equal to the from_server value. The bi_direction tag makes the signature match traffic for both directions.

For example, if you have a signature with “--dst_port 80”, and with bi_direction set, the signature checks traffic from and to port 80.

seq

<number>;

Check for the specified TCP sequence number.

ack

<number>;

Check for the specified TCP acknowledge number.

window

<number>;

Check for the specified TCP window size.

itype

[<|>]<number>[<>number];

Specify the ICMP type to match.

icode

[<|>]<number>[<>number];

Specify the ICMP code to match.

icmp_id

<number>;

Check for the specified ICMP ID value.

icmp_seq

<number>;

Check for the specified ICMP sequence value.

rpc

<application number>,[<version number>|*],[<procedure number>|*>;

Check for RPC application, version, and procedure numbers in SUNRPCCALL requests. You can use the * wildcard for version and procedure numbers.

ip_proto

<number>;[!]<number>;><number>;<<number>;

Check the IP protocol header.

samip

NULL

The source and the destination have the same IP addresses.