V18.5: Custom IPS Pattern cannot be added

Hi Guenter,

Thank you for reaching out to Sophos Community.

Please add custom rule as "srcport:443;content:"facebookcom";nocase;"

Here is snapshot for your reference.

Hi,

unbelivable. In a multiline Textbox, we have write it in a singleline. :(

Please update the online documentation. There are also three separate lines without the separation character ;

Thx.

Guenter

You are referring to the "Add" option. Look at the linked Syntax part: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/concepts/IPSCustomSignatures.html

Hi,

I've already found this page. This is great for the filteroptions which can be configured. But there was no reference, that the rule have to be wrtitten as a oneliner.

The firewall provides a multilinebox which does not support multiline syntax. As written in my answer to Yash before, the Sophos documentation shows also three separate lines and forget the separation character.

So, the official documentation seems to be wrong and incomplete.

I think Sophos should correct this onlinepart.

In general, a "working" example in each section is helpful and reduces many questions.

sincerly

Guenxter

Just curious, which form of IPS pattern are you going to create? 

Hi,

None. I followed this (https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/IPSCustomSignatureAdd.html) documentation to create a custom IPS rule.

• Go to Intrusion prevention > Custom IPS signatures and click Add.
• Enter a name.
• Select a protocol.
• Specify a custom rule.
• ...

and so on.

And which kind of use case do you want to cover? Is there a specific pattern missing, you want to create or get a alert? 

Sorry Toni,

I know about your motivation for asiking questions like this. But this does not matter. 

I don't mean to be rude and you are really trying hard to find solutions.
However, such questions try to distract from the original problem. We understand your motivation, not to say predicament.

To answer your question.
I do not miss any IPS rule at the moment. However, this does not exclude future special requirements in production environments.

Guenter

I just want to understand, what you try to archive on this feature, as i most likely see only one use case, thats simply a alert system for future requirements of bigger customers. 

Most customers, i saw (even in this size to have the capabilities) do not write own IPS pattern, simply because they cannot follow up with this at all. 

The customers, able to do so, already invested in own IDS system or tap solution to find KI based anomalies. That is the reason, Sophos acquired BrainTrace. https://www.sophos.com/en-us/press-office/press-releases/2021/07/sophos-acquires-braintrace-to-boost-adaptive-cybersecurity.aspx

NDS Systems are the future of such tools, simply because its hard to keep up in a manual style with modern attacks. And to be able to find the pattern, build it yourself and maintain those pattern are simply to hard. If the customer is able to look 24/7 into the SOC bubble of twitter, you might be able to, but i assume, most customers are not. 

I just want to understand, what you try to archive on this feature, as i most likely see only one use case, thats simply a alert system for future requirements of bigger customers. 

Most customers, i saw (even in this size to have the capabilities) do not write own IPS pattern, simply because they cannot follow up with this at all. 

The customers, able to do so, already invested in own IDS system or tap solution to find KI based anomalies. That is the reason, Sophos acquired BrainTrace. https://www.sophos.com/en-us/press-office/press-releases/2021/07/sophos-acquires-braintrace-to-boost-adaptive-cybersecurity.aspx

NDS Systems are the future of such tools, simply because its hard to keep up in a manual style with modern attacks. And to be able to find the pattern, build it yourself and maintain those pattern are simply to hard. If the customer is able to look 24/7 into the SOC bubble of twitter, you might be able to, but i assume, most customers are not.