Response in-line below...
-----Original Message-----
From: Jean-Pierre Denis [mailto:webglobe@gmail.com]
Sent: July 24, 2005 9:33 PM
To: Focus-IDS
Subject: Cisco IDS Signature details
Hi everyone,
does someone know where I can find a full text listing of all the
signature used on CISCO
IDS? What i am looking for is the regular expression of the string
pattern that a signature
is trying to find in the packet In order to validate the signature
effectiveness.
I've been using Cisco IDS products for over six years. In that
entire time, it has been anywhere from near-impossible (original
software) to fairly simple (current versions) to get the specific
details on how a signature works.
I can find this information in the IDS DM under
Configuration > Sensing Engine > Virtual Sensor Configuration >
Signature Configuration Mode. by putting my mouse over the arrow in
the " more " section.
For example, If I look at signature ID 5366 Shell ... I will see the
HeaderRegex Value in
the yellow box but the problem with this is that you cannot copy the
content of the yellow
box that is appearing in another document.
You must be using a read-only account to view this. If you have an
account with administrator privileges, you can check the box next
to a signature and select "Edit" from the bottom menu to look at
the same fields displayed in the mouse-over. By doing this, you now
have access to any signature elements that can be modified. More to
the point, you can actually copy/paste the regex into something else
(like notepad) from this part of IDM.
It would have been nice if this information was included in NSDB. NSDB
give you a detailed
information about the purpose of the signature without telling you
what it's really doing. I am
wondering why cisco did this ...
There is an online version of the NSDB at the Cisco site, available
via the "IPS Alert Center" (http://www.cisco.com/go/ipsalert/), but
it too lacks the info you're looking for. As for why this is, IMHO,
it is just simple protection of their signature base. IIRC, Cisco
has some signatures that have been developed in collaboration with
other software vendors. As a result, the signature details, while
available to a licensed Cisco customer, are protected from general
public consumption because of NDA requirements. Other signatures
that may be unique to Cisco and developed in-house would be guarded
in a similar fashion due to their competitive value.
I've look on the cisco site but there is so many documents to look ...
I would be great If someone could point me in the good direction.
--
Unfortunately, other than the "edit" option I pointed out earlier,
there's not much you can do. I don't think you can expect to see
Cisco become for forth-coming with their signature details in a
public forum. You need to be a paying customer if you want to know
what's going on "under the hood"...
Thanks,
Jean-Pierre Denis
I hope this helps,
Alex Arndt
CISSP, GCIA, GCIH
"Within all order is the potential for chaos..."
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
