IDS mailing list archives
RE: Cisco IDS Signature details
From: "Alex Arndt" <aarndt () rogers com>
Date: Tue, 26 Jul 2005 09:04:38 -0400
Response in-line below...
-----Original Message----- From: Jean-Pierre Denis [mailto:webglobe () gmail com] Sent: July 24, 2005 9:33 PM To: Focus-IDS Subject: Cisco IDS Signature details Hi everyone, does someone know where I can find a full text listing of all the signature used on CISCO IDS? What i am looking for is the regular expression of the string pattern that a signature is trying to find in the packet In order to validate the signature effectiveness.
I've been using Cisco IDS products for over six years. In that entire time, it has been anywhere from near-impossible (original software) to fairly simple (current versions) to get the specific details on how a signature works.
I can find this information in the IDS DM under Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode. by putting my mouse over the arrow in the " more " section. For example, If I look at signature ID 5366 Shell ... I will see the HeaderRegex Value in the yellow box but the problem with this is that you cannot copy the content of the yellow box that is appearing in another document.
You must be using a read-only account to view this. If you have an account with administrator privileges, you can check the box next to a signature and select "Edit" from the bottom menu to look at the same fields displayed in the mouse-over. By doing this, you now have access to any signature elements that can be modified. More to the point, you can actually copy/paste the regex into something else (like notepad) from this part of IDM.
It would have been nice if this information was included in NSDB. NSDB give you a detailed information about the purpose of the signature without telling you what it's really doing. I am wondering why cisco did this ...
There is an online version of the NSDB at the Cisco site, available via the "IPS Alert Center" (http://www.cisco.com/go/ipsalert/), but it too lacks the info you're looking for. As for why this is, IMHO, it is just simple protection of their signature base. IIRC, Cisco has some signatures that have been developed in collaboration with other software vendors. As a result, the signature details, while available to a licensed Cisco customer, are protected from general public consumption because of NDA requirements. Other signatures that may be unique to Cisco and developed in-house would be guarded in a similar fashion due to their competitive value.
I've look on the cisco site but there is so many documents to look ... I would be great If someone could point me in the good direction. --
Unfortunately, other than the "edit" option I pointed out earlier, there's not much you can do. I don't think you can expect to see Cisco become for forth-coming with their signature details in a public forum. You need to be a paying customer if you want to know what's going on "under the hood"...
Thanks, Jean-Pierre Denis
I hope this helps, Alex Arndt CISSP, GCIA, GCIH "Within all order is the potential for chaos..." ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Cisco IDS Signature details Jean-Pierre Denis (Jul 25)
- RE: Cisco IDS Signature details Alex Arndt (Jul 26)
- <Possible follow-ups>
- RE: Cisco IDS Signature details Pachulski, Keith (Jul 26)