Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 788 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG v18 Custom IPS signatures - multiple content values

JoelTimm

Dear Sophos team and users,

we're actually trying to add multiple content values to a custom IPS signatures rule, like it's indicated in manual, but when we are saving, a warning pops up to say that the rule isn't valid.

example:

content:"manager/text/list";dstport:443;nocase;content:"manager/html";
we have try this one too:

content:"manager/text/list";content:"manager/html";dstport:443;nocase;

could you please explain why?

Thank you ahead.

Joel.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    when you compare your rule to existing rules how does the format compare?
    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian,

    could you be more accurate please?
    Is there a function for to compare the rules?

    Do you mean compare the custom IPS signatures? 
    I have used since the beginning just one content parameter for every signature.

    I've tried something new because we are receiving lot of scan attempt on our IPS Software on the Machines and we are trying to block these ones directly on the Sophos XG.

    Joel.

  • 0 in reply to JoelTimm

    First question, not related to IPS in specific, but more likely to this rule, are you decrypting HTTPS? Because you try to scan contant within HTTPs, which is not possible without decryption. 

    Your rule is likely invalid, as the content part covers the packet content, and not the Port. 

    For example: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/IPSCustomSignatureAdd.html

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi Toni,

    I have other IPS custom signatures and they're working without any problem. I just ask if we can put more than one "content" parameter in the custom signature as it's written in the manual and how. the fact is: IPS custom signature with 1 "content" parameter -> it works and it's written in my reports, when the xg is using my custom signature, but when the IPS custom signature with 2 or more "content" -> invalid error.

    Regards,

    Joel Timm

Reply
  • 0 in reply to LuCar Toni

    Hi Toni,

    I have other IPS custom signatures and they're working without any problem. I just ask if we can put more than one "content" parameter in the custom signature as it's written in the manual and how. the fact is: IPS custom signature with 1 "content" parameter -> it works and it's written in my reports, when the xg is using my custom signature, but when the IPS custom signature with 2 or more "content" -> invalid error.

    Regards,

    Joel Timm

Children