To apply custom signatures to rules, add them to IDS Profiles.

Procedure

  1. From the NSX Manager go to the Security > IDS/IPS & Malware Prevention (under Policy Management section).
  2. On the IDS/IPS & Malware Prevention page, go to the Profiles tab.
  3. On the IDS/IPS tab, you can choose to add a new profile or edit an existing profile. See Add an NSX IDS/IPS Profile.
  4. To add custom signatures to an existing profile, click the three dots and click Edit.
  5. In the IDS Signatures section, select Custom. It shows the number of signatures that will be included in that profile.
  6. To define a custom signature, it is essential to include the required metadata field signature_severity in the Intrusion Severities section. This field must be part of all custom signatures. The possible keyword values for this field are:
    • Critical

    • High

    • Medium

    • Low

    • Suspicious

    These signature severities will be displayed in the UI and contained in the SYSLOG output from the IDS engine.

    When importing signature sets from third-party sources, different keywords may represent the severity of the threat being addressed. For instance, Emerging Threats uses the keyword "Major." During validation, this keyword will be remapped to "High."

  7. Click Save.

Results

When a rule is hit, you can view the details of the action taken on the Monitoring page.

  1. In the Threat Event Monitoring section, select IDS/IPS.

  2. Check the Monitoring tab to know if any intrusions are detected based on the custom signatures applied to rules on the GFW and DFW.