Updated on 2024-11-04 GMT+08:00

Customizing IPS Signatures

You can configure network detection signature rules in CFW. CFW will detect threats in data traffic based on signatures.

HTTP, TCP, UDP, POP3, SMTP and FTP protocols can be configured in user-defined IPS signatures.

User-defined signatures need to be specific. General signatures may match too much traffic and affect traffic forwarding performance.

Constraints

  • Only the professional edition supports custom IPS signatures.
  • A maximum of 500 features can be added.
  • Custom IPS signatures are not affected by the change of the basic protection mode.
  • Content can be set to URI only if Direction is set to Client to server and Protocol Type is set to HTTP.

Customizing IPS Signatures

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
  5. In the navigation pane, choose Attack Defense > Intrusion Prevention. Click Check Rules in the Custom IPS Signature area.
  6. Click Add Custom IPS Signature in the upper right corner of the list. For more information, see Table 1.

    Table 1 Custom IPS signature parameters

    Parameter Name

    Description

    Name

    Feature name.

    It must meet the following requirements:
    • Only uppercase letters (A to Z), lowercase letters (a to z), numbers (0 to 9), and the following special characters are allowed: -_
    • A maximum of 255 characters are allowed.

    Risk Level

    Risk level of the feature.

    Rule Type

    Rule type of the feature.

    Affected Software

    Affected software.

    OS

    OS.

    Direction

    Direction of the traffic matching the feature. Its value can be:

    • Any: Any direction. Traffic in any direction that meets other specified conditions matches the current rule.
    • Server to client
    • Client to server

    Protocol Type

    Protocol type of the feature.

    Source Type

    Source port type. Its value can be:
    • Any: Any port type. All ports match this type.
    • Include
    • Exclude
    NOTE:

    You are advised to select Any.

    Source Port

    Set Source Port if Source Type is set to Include or Exclude.
    • You can set one or more ports. Use commas (,) to separate multiple ports. Example: 80,100
    • You can also set a port range. Use hyphens (-) to separate ports, for example, 80-443.

    Destination Type

    Destination port type. Its value can be:
    • Any: Any port type. All ports match this type.
    • Include
    • Exclude
    NOTE:

    You are advised to select Any.

    Destination Port

    Set Destination Port if Destination Type is set to Include or Exclude.
    • You can set one or more ports. Use commas (,) to separate multiple ports. Example: 80,100
    • You can also set a port range. Use hyphens (-) to separate ports, for example, 80-443.

    Action

    Action taken by the firewall when it detects traffic with the feature.

    • Observe: Attacks are detected and recorded in logs. For details about how to query logs, see Querying Logs.
    • Intercept: Attacks are automatically blocked.
    NOTE:

    Before you enable the Intercept mode, you are advised to select Observe first and check whether the attack logs are correct for a period of time.

    Content

    Content matching the feature rule.
    • Content: content field that matches the feature, for example, cfw.
    • Content Option: Select a rule for content matching.
      • Hexadecimal: The content must be in hexadecimal format. Example: 0x1F
      • Case insensitive: Match content without checking cases.
      • URL: Match the fields that are consistent with the content in URLs.
    • Relative Position specifies the start position in a feature matching.
      • Head: The start position depends on the Offset from the head. For example, if Offset is 10, the content check starts from the eleventh bit.
        NOTE:

        If Content Option is set to URL, the matching position of the header starts from the end of the domain name (including the port number).

        For example, if the URL is www.example.com/test and the Offset is 0, the content check starts from the slash (/) following com.

        If the URL is www.example.com:80/test and the Offset is 0, the content check starts from the slash (/) after 80.

      • After previous content: Packet capture starts from the specified position.

        Formula: Start position = Length of the previous Content field + Previous Offset + Offset + 1

        For example, if the previous content is test, the previous offset is 10, and the current offset is 5, the start position is the 20th (4+10+5+1) bit.

    • Offset specifies the start position of feature matching. For example, if the offset is 10, the start position is the eleventh bit.
    • Depth specifies the end position of feature matching. For example, if the depth is 65,535, the end position is the 65,535th bit.
    NOTE:
    • Depth must be greater than the length of the Content field.
    • Up to four items can be added to an IPS signature.

  7. Click OK.

Related Operations

  • To copy an IPS feature, click Copy in the Operation column, modify parameters, and click OK.
  • To modify an IPS signature, click Edit in the Operation column.
  • To delete IPS signatures in batches, select signatures and click Delete above the list.
  • To modify actions in batches, select signatures and click Observe or Intercept above the list.

Follow-up Operations

For details about the protection overview, see Viewing Attack Defense Information on the Dashboard. For details about logs, see Attack Event Logs.