Adding a Custom IPS Signature

Scenario

Companies need customized intrusion detection solutions to cope with diverse complex attacks. Signature rules that are too general may cause a large number of false positives, reducing defense efficiency. CFW supports refined custom IPS signature rules for HTTP, TCP, UDP, POP3, SMTP, and FTP protocols. It can identify malicious traffic through accurate signature matching.

You can add custom IPS signatures. Be specific when configuring custom signatures. If your rules are too general, they may cause false matching and performance deterioration.

Constraints

Only the professional edition supports custom IPS signatures.
A maximum of 500 features can be added.
Custom IPS signatures are not affected by the change of the basic protection mode.
Content can be set to URI only if Direction is set to Client to server and Protocol Type is set to HTTP.

Adding a Custom IPS Signature

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
(Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
In the navigation pane, choose Attack Defense > Intrusion Prevention. In the Custom IPS Signature area, click Check Rules.

Click Add Custom IPS Signature in the upper left corner of the list and configure parameters.

**Table 1** Custom IPS signature parameters
Parameter	Description
Name	Feature name. It must meet the following requirements: Only uppercase letters (A to Z), lowercase letters (a to z), numbers (0 to 9), and the following special characters are allowed: -_ A maximum of 255 characters are allowed.
Risk Level	Risk level of the feature.
Rule Type	Rule type of the feature.
Affected Software	Affected software.
OS	OS.
Direction	Direction of the traffic matching the feature. Its value can be: Any: Any direction. Traffic in any direction that meets other specified conditions matches the current rule. Server to client Client to server
Protocol Type	Protocol type of the feature.
Source Type	Source port type. Its value can be: Any: Any port type. All ports match this type. You are advised to select Any. Include Exclude
Source Port	Set Source Port if Source Type is set to Include or Exclude. You can set one or more ports. Use commas (,) to separate multiple ports. Example: 80,100 You can also set a port range. Use hyphens (-) to separate ports, for example, 80-443.
Destination Type	Destination port type. Its value can be: Any: Any port type. All ports match this type. You are advised to select Any. Include Exclude
Destination Port	Set Destination Port if Destination Type is set to Include or Exclude. You can set one or more ports. Use commas (,) to separate multiple ports. Example: 80,100 You can also set a port range. Use hyphens (-) to separate ports, for example, 80-443.
Action	Action taken by the firewall when it detects traffic with the feature. Observe: Attacks are detected and logged. For details about how to query logs, see Querying Logs. Intercept: Attacks are automatically blocked. Before you enable the Intercept mode, you are advised to select Observe first and check whether the attack logs are correct for a period of time.
Content	Content matching the feature rule. Content: content field that matches the feature, for example, cfw. Content Option: Select a rule for content matching. Hexadecimal: The content must be in hexadecimal format. Example: 0x1F Case insensitive: Match content without checking cases. URL: Match the fields that are consistent with the content in URLs. Relative Position specifies the start position in a feature matching. Head: The start position depends on the Offset from the head. For example, if Offset is 10, the content check starts from the eleventh bit. NOTE: If Content Option is set to URL, the matching position of the header starts from the end of the domain name (including the port number). For example, if the URL is www.example.com/test and the Offset is 0, the content check starts from the slash (/) following com. If the URL is www.example.com:80/test and the Offset is 0, the content check starts from the slash (/) after 80. After previous content: Packet capture starts from the specified position. Formula: Start position = Length of the previous Content field + Previous Offset + Offset + 1 For example, if the previous content is test, the previous offset is 10, and the current offset is 5, the start position is the 20th (4+10+5+1) bit. Offset specifies the start position of feature matching. For example, if the offset is 10, the start position is the eleventh bit. Depth specifies the end position of feature matching. For example, if the depth is 65,535, the end position is the 65,535th bit. NOTE: Depth must be greater than the length of the Content field. Up to four items can be added to an IPS signature.

Click OK.

References

Managing custom IPS signatures:
- To copy a custom IPS signature, click Copy in the Operation column, modify parameters, and click OK.
- To modify a custom IPS signature, click Edit in the Operation column. Modify parameters and click OK.
- To delete a custom IPS signature, click More > Delete in the Operation column. In the dialog box that is displayed, click OK.
- To delete multiple custom IPS signatures at a time, select signatures and click Delete above the list. In the dialog box that is displayed, click OK.
- To modify the action of a custom IPS signature, choose More > Observe or More > Intercept in the Operation column.
- To change the actions of multiple custom IPS signatures at a time, select signatures and click Observe or Intercept above the list.
For details about attack defense, see Attack Defense Overview.
For details about how to block network attacks, see Configuring Intrusion Prevention.