RE: Cisco IDS Signature details

["Alex Arndt" <aarndt () rogers com>]

Response in-line below...

> -----Original Message-----
> From: Jean-Pierre Denis [mailto:webglobe () gmail com]
> Sent: July 24, 2005 9:33 PM
> To: Focus-IDS
> Subject: Cisco IDS Signature details
>
>
> Hi everyone,
>
> does someone know where I can find a full text listing of all the
> signature used on CISCO
> IDS?  What i am looking for is the regular expression of the string
> pattern that a signature
> is trying  to find in the packet In order to validate the signature
> effectiveness.
I've been using Cisco IDS products for over six years. In that
entire time, it has been anywhere from near-impossible (original
software) to fairly simple (current versions) to get the specific
details on how a signature works.

> I can find this information in the IDS DM under
>   Configuration > Sensing Engine > Virtual Sensor Configuration >
> Signature Configuration Mode. by putting my mouse over the arrow in
> the " more " section.
>
> For example, If I look at signature ID 5366 Shell ... I will see the
> HeaderRegex Value in
> the yellow box but the problem with this is that you cannot copy the
> content of the yellow
> box that is appearing in another document.
You must be using a read-only account to view this. If you have an
account with administrator privileges, you can check the box next
to a signature and select "Edit" from the bottom menu to look at
the same fields displayed in the mouse-over. By doing this, you now
have access to any signature elements that can be modified. More to
the point, you can actually copy/paste the regex into something else
(like notepad) from this part of IDM.

> It would have been nice if this information was included in NSDB. NSDB
> give you a detailed
> information about the purpose of the signature without telling you
> what it's really doing. I am
> wondering why cisco did this ...
There is an online version of the NSDB at the Cisco site, available
via the "IPS Alert Center" (http://www.cisco.com/go/ipsalert/), but
it too lacks the info you're looking for. As for why this is, IMHO,
it is just simple protection of their signature base. IIRC, Cisco
has some signatures that have been developed in collaboration with
other software vendors. As a result, the signature details, while
available to a licensed Cisco customer, are protected from general
public consumption because of NDA requirements. Other signatures
that may be unique to Cisco and developed in-house would be guarded
in a similar fashion due to their competitive value.

> I've look on the cisco site but there is so many documents to look ...
>
> I would be great If someone could point me in the good direction.
>
> -- 
Unfortunately, other than the "edit" option I pointed out earlier,
there's not much you can do. I don't think you can expect to see
Cisco become for forth-coming with their signature details in a
public forum. You need to be a paying customer if you want to know
what's going on "under the hood"...

> Thanks,
> Jean-Pierre Denis
I hope this helps,
Alex Arndt
CISSP, GCIA, GCIH

"Within all order is the potential for chaos..." 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------