2 Replies Latest reply on Aug 1, 2017 5:18 PM by d_aloy

    Custom Signature Mcafee USD partial url

    stemax1

      Hi guys,

      I need to create a custom signature on NSM 8.3.

       

      The signature must be able to block URLs with a fixed pattern like:

      es.costant--> 546*34

      www.test.it/546*34

      www.prova.it/conf/546*34

      http://test.it/url/fin/546*34

       

      Is it possible to make an IPS signature of this type?

       

      Many tnx

       

      Regads

       

        • 1. Re: Custom Signature Mcafee USD partial url
          peter.mason

          Hi Stefano,

           

          You should be able to find what you need in the Custom Attack Definitions Guide

           

          https://kc.mcafee.com/agent/index?page=content&id=PD26347

           

          Regards

           

          Peter

          1 of 1 people found this helpful
          • 2. Re: Custom Signature Mcafee USD partial url
            d_aloy

            Hi Stefano

             

            As Peter says the Custom Attack Editor guide is great to get these working... I always have to test and re-test though to make sure they only trigger for the content I want....and deploy alert only first

             

             

            Try this as the string to search in URI:

             

            \/546\*34

             

            That should match the /546*34, but you must make sure the other parameters are OK (get,post,etc) if using UDS. If using snort, then simply specifying content:"\/546\*34"; http_uri; should work ( I think!)

             

            I would also suggest you bookmark  regex101.com - it has really helped me working out the strings to use on UDS or SNORT rules,so hopefully it helps you too guys. Just remember you don't always need pcre, but strings used could be similar.

             

            Regards

            David

            2 of 2 people found this helpful