Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 40 subscribers
  • Views 1583 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom IPS Signatures

Vault Sec

Hi everyone,

unfortunately I was not able to find a proper answer to this anywhere. I want to create custom IPS signatures specifically for known bad hosts, so I will receive a mail alert via the notification system. My current settings for one such signature would be as follows:

Name: Bad Host
Protocol: TCP
Custom rule: dstaddr:123.123.123.1;
Severity: Major
Recommended action: Allow packet

Since I to not want to add a single host but multiple ranges I was looking for a way to add a network a la dstnet. Could not find anything like that in the help files. So I tried the following:

Custom rule: dstaddr:123.123.123.1-4;
Custom rule: dstaddr:123.123.123.1-123.123.123.4;
Custom rule: dstnet:123.123.123.0/24; 
Custom rule: dstaddr:123.123.123.0/24; 
Custom rule: dstaddr:123.123.123.1;dstaddr:123.123.123.2;dstaddr:123.123.123.3;
Custom rule: dstaddr:123.123.123.1,dstaddr:123.123.123.2;

Pretty much tried every permutation I could think of, but it always says: IPS custom rule is not valid.

Ok, I though, I guess I have to add an absurd amount of custom signature objects via the API... But looking at the help files, I find the following:

"When a new custom IPS signature is added, the IPS engine is reconfigured without any interruption to service, provided there is enough RAM free for the reconfiguration to succeed. For XG firewalls with a low amount of free RAM available, the IPS engine will restart, causing a small disruption in service."

Since I would import over 2000 objects, I guess that would be pretty risky? Very difficult to assess. Apart from the fact that I would much rather prefer one object for one range.

Can anybody help here?

Cheers



This thread was automatically locked due to age.
  • +1

    Hello,

    Please don't use IPS for IP Range blocking, that's not why It has made for - you can use a single NAT Rule for this.

    Not only this, but It will be heavily inefficient; You should only use IPS Signatures in order to block traffic that needs DPI.

    if you still want to do this, the correct syntax for an entire IPv4 Subnet is: srcaddr:"10.0.80.0/24"; or dstaddr:"10.0.80.0/24"; I recommend you to use srcaddr.

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    Hi Prism,

    thanks, it actually only works, when using protocol "all". I realize that the IPS has a performance impact. Creating a blackhole NAT would be quite a different solution though and not necessarily apply to every use case. Would a pseudo-IDS with "allow packet" impact performance as heavily? I assume yes, because traffic still has to be passed through the Snort module and inspected. Anyway, I created another custom signature and actually had a very short traffic disruption, probably because of the IPS module needing to reload, as stated in the help. So I will probably solve this issue differently. Thanks.

    Cheers

Unfiltered HTML