Custom Signature

In Custom Signature, you can choose to use or not use each signature registered by the admin for signature-based detection or block of network infiltration and web-related threats.

Note

In the Custom Signature, you can choose to add the signature which the admin already added through Policy > IPS Overview to a policy or modify/delete the signature. To add a new custom signature, see IPS Overview.

You can check the following in Custom Signature.

• Adding, editing, and deleting custom signature
• Searching custom signature

Add custom signature to use in policy

Follow the steps below to add a custom signature to use in IPS policy.

Note

Click Default on the bottom of the screen to apply the default value.

1. Click Policy.
2. Select the Security Program Policy tab.
3. Click Add > HIPS/Firewall > IPS Policy.
4. Click Custom Signature and click Assign. If a signature already exists in the list, you can download the custom signature as a .csv file by clicking the download button.
5. Check custom signature list from <Add a Custom Signature> and configure usage. To only check the signature to search in the list, choose to enable or disable signature, enter SID or signature name, and click Search ( ).
   

• Enable: Select a signature to use and click it to add it to IPS policy.
• Disable: Select a signature to use and click it to remove it from IPS policy.
• Column Settings: You can set columns to display on the custom signature list. Click Column Settings () to select columns to show on the list of the screen.
• Status: Whether the signature will be enabled and added to the IPS policy. If the signature is in use, Enabled () will be displayed, and if the signature is not in use, Disabled () will be displayed.

• SID: The unique value (ID) of the signature.
• Signature Name: The name of the signature.
• Application Type: The type of the application targeted by network infiltration.
• Protected Area: An area that can be protected when the signature-based detection/block is being proceeded for a network infiltration.
• Severity: The threat severity level of the network infiltration found with signature-based detection. The threat levels are divided into: Very High, High, Moderate, Low, and Very Low. Moderate is the default.
• Response Method: The response which is made upon detecting network infiltration via signature-based detection. Response can be shown as Detect or Block.

• Detect: Only detect packets and traffics deemed as network infiltration.
• Block: Detect and block packets and traffics deemed as network infiltration.

• Block Option: Detailed signature-based block options against inbound attack derived from network infiltration. Takes effect when responding to an inbound attack with ‘block.’ If the attack meets the selected option, it is detected. The options are divided into: Source Block, Source/Destination Block, Source/Destination/Service Block, Source/Service Block, and None.

• Source Block: Only block source IP address of the inbound attack.
• Source/Destination Block: Block source IP address and destination IP address of the inbound attack.
• Source/Destination/Service Block: Block source IP address, destination IP address, and service of the inbound attack.
• Source/Service Block: Block source IP address and service of the inbound attack.
• None: Don’t set any additional block option against inbound attack.

• Save Packets: Set whether to save the packet content upon performing signature-based response against a network infiltration. If the feature is in use, Enabled () will be displayed.
• Changed on: The date of last signature info change.

6. Set the signature to add as ‘Enabled’ and click Save.
7. Check the added signature list on the Custom Signature screen. To group and check the signature by application type and response method, click Show all and select an item among Show by application type, Show by response method, and Show by severity.

8. Click Save. 

Note

Even if you modify the signature assigned to a policy from Custom Signature through Policy > IPS Overview, changes will not be automatically applied to the policy. To apply the changes made to a signature, refer to Add custom signature to use in policy and reassign the signature to a policy. The changes to signature can be checked by clicking See signature details ().

Note

Click Import on the top right side of the screen to import and apply a policy.

Edit Custom Signature

Follow the steps below to edit custom signature.

Note

Custom signature cannot be added from a policy screen. To add a custom signature, go to Policy > IPS Overview and check Add a Custom Signature.

1. Click Policy.
2. Select the Security Program Policy tab.
3. Click Add > HIPS/Firewall > IPS Policy.
4. Click Custom Signature, select signature to modify, and click Modify.
5. <Edit custom signature> will appear. Modify the items as required.

• Signature Name: Enter the name of the signature.
• Application Type: Enter the type of the application targeted by network infiltration.
• Protected Area: Enter an area that can be protected when the signature-based detection/block is being proceeded for a network infiltration.
• Packet direction: Select the direction to transmit the detected packet among IN, OUT, and ALL when network infiltration is found with signature-based detection.
• Protocol: Select the protocol to detect among TCP, UDP, IMCP, and IP when network infiltration is found with signature-based detection
• Source IP: Enter the source IP to detect when network infiltration is found with signature-based detection. Select among Direct input and Any.

• Direct input: Target the IP address entered by admin. Enter in the format of Single IP address, IPv4, IPv6, and CIDR. If entering 2 or more IP addresses, separate them with ','.
• Any: Target all IP addresses.

• Source Port No.: Enter between 1 to 65535 for the source port number to detect when network infiltration is found with signature-based detection. Select among Direct input and Any.

• Direct input: Target the port number entered by admin. Enter as single number or range and if entering 2 or more port numbers, separate them with ‘,’
• Any: Target the all port numbers.

• Destination IP: Enter the destination IP to detect when network infiltration is found with signature-based detection. Select among Direct input and Any.

• Direct input: Target the IP address entered by admin. Enter in the format of Single IP address, IPv4, IPv6, and CIDR. If entering 2 or more IP addresses, separate them with ','.
• Any: Target all IP addresses.

• Destination Port number: Enter between 1 to 65535 for the destination port number to detect when network infiltration is found with signature-based detection. Select among Direct input and Any.

• Direct input: Target the port number entered by admin. Enter as single number or range and if entering 2 or more port numbers, separate them with ‘,’
• Any: Target the all port numbers.

• Network Direction: The direction of transmission of the packets or traffics upon detecting network infiltration via signature-based detection. Select among External -> Internal, Internal -> External, and Internal -> Internal.
• Pattern Type: Detect packets that match the selected pattern type to detect upon detecting network infiltration via signature-based detection. Select among Basic Settings and Advanced Settings.

• Basic Settings: You must manually enter the detection details in Snort syntax and in the format of option: "Detection description"; Supports Snort Compatibility Options, General Rule Options, Payload Detection Rule Options, Non-payload Detection Rule Options, and Post-Detection Rule Options.
•  General Rule Options: msg, reference, sid, rev, classtype, priority, metadata
• Payload Detection Rule Options: content, uricontent, pcre, nocase, rawbytes, depth, offset, distance, within, isdataat, byte_test, byte_jump, fast_pattern, byte_extract, byte_math, http_client_body, http_raw_client_body, http_host, http_raw_host, http_cookie, http_raw_cookie, http_header, http_raw_header, http_method, http_uri, http_raw_uri, http_stat_code, http_stat_msg, urilen (e.g.: content:"User mode"; nocase;)
• Non-payload Detection Rule Options: fragoffset, ttl, tos, id, ipopts, fragbits, dsize, flags, seq, ack, window, itype, icode, icmp_id, icmp_seq, ip_proto, sameip, flow, flowbits, stream_size
• Post-Detection Rule Options: threshold, detection_filter
• Advanced Settings: Provides Favorite Snort Option, and allows you to manually enter and adjust the Snort detection options.

• Detection Type: Upon selecting advanced settings, select among Content and PCRE.

• Content: You can find specific content from the packet’s payload. The search is case sensitive, and if you add ! at the beginning of the rule, packets that do not contain the content will be searched. Escaping is required to use special characters. (: ; \ ") You can provide detailed options that are used together (offset, depth, nocase) to configure detection details.
• PCRE: This is Peal Compatible Regular Expression which allows you to configure options with more details than basic options.

• Detected Pattern: Enter a new pattern criteria to detect in a packet in accordance with the selected detection type.

• Offset This is an option to enter if you have selected Content from advanced settings. Enter a number which will decide the starting point of the pattern detection in the packet. For example, if you set Offset to 5, it means ‘start finding the set pattern beyond the first 5byte of the payload.’
• Depth: Enter the range of the pattern to match in the packet as a number between 1 to 65535. For example, if you set Depth to 5, it means ‘find the set pattern within the range of first 5byte of the payload.’ Entered detection details must be greater than depth.
• No Case: Select this if you wish to use the rule that ignore all upper/lowercases and only find a specific pattern. (e.g.: content:"USER root"; nocase;).
• Run Validation Check: Check if there is an error in the syntax of the entered detection pattern.

• Attack Duration: Enter seconds between 1 to 86400 for the duration which will be recognized as an attack when network infiltration is found with signature-based detection.
• No. of Attacks: Enter between 1 to 99999 for the number which will be recognized as an attack when network infiltration is found with signature-based detection.

• Severity: The threat severity level of the network infiltration which is subject to signature-based detection/block. Select among Very High, High, Moderate, Low, and Very Low.

• Response Method: A signature-based response against network infiltration. Select Detect or Block.

• Detect: Detect network infiltration.
• Block: Block network threats

• Block Option: Select detailed signature-based block option against inbound attack derived from network infiltration. Takes effect when responding to an inbound attack with ‘block.’ Select among Source Block, Source/Destination Block, Source/Destination/Service Block, Source/Service Block, and None.

• Source Block: Only block the source of the inbound attack.
• Source/Destination Block: Block source and destination of the inbound attack.
• Source/Destination/Service Block: Block source, destination and service of the inbound attack.
• Source/Service Block: Block source and service of the inbound attack.
• None: Don’t set any additional block option against inbound attack.

• Block Duration: Enter a number between 1 to 86400 seconds for the duration of block against a network infiltration found via signature-based detection.

• Save Packets: Select whether to save the packet content upon performing signature-based response against a network infiltration.

• Description: Enter a description of the custom signature.

6. Click OK.
7. Click Save.

Delete custom signature

Follow the steps below to remove a custom signature from the list.

Note

You can check custom signature that has been removed from the list by clicking Assign and checking <Add a Custom Signature> that appears, or in Policy > IPS Overview.

1. Click Policy.
2. Select the Security Program Policy tab.
3. Click Add > HIPS/Firewall Policy > IPS Policy.
4. Click Custom Signature, select a signature to remove, and click Delete on the top side of the list or Delete () on the top side of the column.
5. Once the deletion confirmation message appears, click Yes.
6. Click Save.

Search custom signature to use in policy

You can enter SID or signature name to search for custom policy to use in policy. Follow the steps below to search custom signature.

1. Click Policy.
2. Select the Security Program Policy tab.
3. Click Add > HIPS/Firewall > IPS Policy.
4. Click Custom Signature and enter SID or Signature Name as search keyword.
5. Click Search ( ).
6. Check search result.

Related Information

• General
• Default Signature