Sophos XG v18 Custom IPS signatures - multiple content values

Hi,

when you compare your rule to existing rules how does the format compare?
ian

Hi Ian,

could you be more accurate please?
Is there a function for to compare the rules?

Do you mean compare the custom IPS signatures? 
I have used since the beginning just one content parameter for every signature.

I've tried something new because we are receiving lot of scan attempt on our IPS Software on the Machines and we are trying to block these ones directly on the Sophos XG.

Joel.

Hi Ian,

could you be more accurate please?
Is there a function for to compare the rules?

Do you mean compare the custom IPS signatures? 
I have used since the beginning just one content parameter for every signature.

I've tried something new because we are receiving lot of scan attempt on our IPS Software on the Machines and we are trying to block these ones directly on the Sophos XG.

Joel.

First question, not related to IPS in specific, but more likely to this rule, are you decrypting HTTPS? Because you try to scan contant within HTTPs, which is not possible without decryption. 

Your rule is likely invalid, as the content part covers the packet content, and not the Port. 

For example: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/IPSCustomSignatureAdd.html

Hi Toni,

I have other IPS custom signatures and they're working without any problem. I just ask if we can put more than one "content" parameter in the custom signature as it's written in the manual and how. the fact is: IPS custom signature with 1 "content" parameter -> it works and it's written in my reports, when the xg is using my custom signature, but when the IPS custom signature with 2 or more "content" -> invalid error.

Regards,

Joel Timm

Sure you can, see: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/concepts/IPSCustomSignatures.html

But again, Port is not part of content.