https://community.sophos.com/sophos-xg-firewall/f/discussions/124096/sophos-xg-v18-custom-ips-signatures---multiple-content-valuesDear Sophos team and users, we&#39;re actually trying to add multiple content values to a custom IPS signatures rule, like it&#39;s indicated in manual, but when we are saving, a warning pops up to say that the rule isn&#39;t valid. example: content:&quot;manageren-USTelligent Community 12https://community.sophos.com/thread/452847?ContentTypeID=1Tue, 17 Nov 2020 10:43:28 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:f896a818-562f-4e10-b683-37da2134028fLuCar Toni<p>Sure you can, see:&nbsp;<a href="https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/concepts/IPSCustomSignatures.html">https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/concepts/IPSCustomSignatures.html</a></p> <p>But again, Port is not part of content.&nbsp;</p><div style="clear:both;"></div>https://community.sophos.com/thread/452835?ContentTypeID=1Tue, 17 Nov 2020 07:00:17 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:9114bd79-0616-4b7e-9f56-757cf41ea6cfJoelTimm<p>Hi Toni,</p> <p>I have other IPS custom signatures and they&#39;re working without any problem. I just ask if we can put more than one &quot;content&quot; parameter in the custom signature as it&#39;s written in the manual and how. the fact is: IPS custom signature with 1 &quot;content&quot; parameter -&gt; it works and it&#39;s written in my reports, when the xg&nbsp;is using my custom signature, but when the IPS custom signature with 2 or more &quot;content&quot; -&gt; invalid error.</p> <p></p> <p>Regards,</p> <p>Joel Timm</p><div style="clear:both;"></div>https://community.sophos.com/thread/452713?ContentTypeID=1Mon, 16 Nov 2020 10:57:54 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:fa904785-4dfb-4c04-9d58-e46b0677a804LuCar Toni<p>First question, not related to IPS in specific, but more likely to this rule, are you decrypting HTTPS? Because you try to scan contant within HTTPs, which is not possible without decryption.&nbsp;</p> <p></p> <p>Your rule is likely invalid, as the content part covers the packet content, and not the Port.&nbsp;</p> <p>For example:&nbsp;<a href="https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/IPSCustomSignatureAdd.html">https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/IPSCustomSignatureAdd.html</a></p> <p></p><div style="clear:both;"></div>https://community.sophos.com/thread/452712?ContentTypeID=1Mon, 16 Nov 2020 10:43:04 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:796452fe-e129-424c-9481-5caae76c8d38JoelTimm<p>Hi Ian,</p> <p>could you be more accurate please?<br />Is there a function for to compare the rules?</p> <p>Do you&nbsp;mean&nbsp;compare the custom IPS signatures?&nbsp;<br />I have used since the beginning just one content parameter for every signature.</p> <p>I&#39;ve tried something new because we are receiving lot of scan attempt on our IPS Software on the Machines and we are trying to block these ones directly on the Sophos XG.</p> <p></p> <p>Joel.</p><div style="clear:both;"></div>https://community.sophos.com/thread/452710?ContentTypeID=1Mon, 16 Nov 2020 10:03:38 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:1cd2bb65-9244-4517-80d2-8fa53d7ab877rfcat_vk<p>Hi,</p> <p>when you compare your rule to existing rules how does the format compare?<br />ian</p><div style="clear:both;"></div>