To apply custom signatures to rules, add them to IDS Profiles.
Procedure
- From the NSX Manager go to the (under Policy Management section).
- On the IDS/IPS & Malware Prevention page, go to the Profiles tab.
- On the IDS/IPS tab, you can choose to add a new profile or edit an existing profile. See Add an NSX IDS/IPS Profile.
- To add custom signatures to an existing profile, click the three dots and click Edit.
- In the IDS Signatures section, select Custom. It shows the number of signatures that will be included in that profile.
- To define a custom signature, it is essential to include the required metadata field signature_severity in the Intrusion Severities section. This field must be part of all custom signatures. The possible keyword values for this field are:
Critical
High
Medium
Low
Suspicious
These signature severities will be displayed in the UI and contained in the SYSLOG output from the IDS engine.
When importing signature sets from third-party sources, different keywords may represent the severity of the threat being addressed. For instance, Emerging Threats uses the keyword "Major." During validation, this keyword will be remapped to "High."
- Click Save.
Results
When a rule is hit, you can view the details of the action taken on the Monitoring page.
In the Threat Event Monitoring section, select IDS/IPS.
Check the Monitoring tab to know if any intrusions are detected based on the custom signatures applied to rules on the GFW and DFW.