Upload a custom signature bundle to the NSX IDS/IPS engine.

Considerations when you upload custom signatures:

  • When deploying custom signatures for NSX IDS/IPS, ensure that they only include supported keywords compatible with NSX. Refer to the supported keywords list below.

  • Verify that only supported address groups and ports are utilized in your signatures:

    address-groups:
HOME_NET: "any"    EXTERNAL_NET: "any"    HOME_NETWORK: "[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fd00::/8]"    HTTP_SERVERS: "$HOME_NET"    SMTP_SERVERS: "$HOME_NET"    SQL_SERVERS: "$HOME_NET"    DNS_SERVERS: "$HOME_NET"    TELNET_SERVERS: "$HOME_NET"    AIM_SERVERS: "$EXTERNAL_NET"    DC_SERVERS: "$HOME_NET"    DNP3_SERVER: "$HOME_NET"    DNP3_CLIENT: "$HOME_NET"    MODBUS_CLIENT: "$HOME_NET"    MODBUS_SERVER: "$HOME_NET"    ENIP_CLIENT: "$HOME_NET"    ENIP_SERVER: "$HOME_NET"

port-groups:
HTTP_PORTS: "any"    SHELLCODE_PORTS: "!80"    ORACLE_PORTS: 1521    SSH_PORTS: 22    DNP3_PORTS: 20000    MODBUS_PORTS: 502    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"    FTP_PORTS: 21    VXLAN_PORTS: "4789"

  • Confirm that the format of the custom signature bundle you intend to upload is correct; it must have a .zip extension (for example, sample_rules.zip). Note that NSX does not track dependencies for custom signatures, so ensure that any dependent signatures are included in the publish process.

  • If you publish a valid custom signature and subsequently override it with a new bundle that contains only invalid custom signatures, NSX does not allow you to publish the new bundle. NSX will display the error message: "Overridden signature is only allowed for VALID/WARNING signature." Also, any IDPS profiles previously updated to use signatures from the old bundle will become invalid as the new bundle does not have those singatures. If the new bundle contains custom signatures that are also part of the old bundle, they will be see seen as existing signatures and they will remain valid signatures for exiting profiles.

  • Ensure that all custom signatures utilize the supported keywords. Here is the list of supported keywords:

    sid

    Set rule ID.

    priority

    Rules with a higher priority will be examined first.

    rev

    Set version of the rule.

    classtype

    Information about the classification of rules and alerts.

    app-layer-protocol

    Match on the detected app-layer protocol.

    tcp.ack

    Check for a specific TCP acknowledgement number.

    tcp.seq

    Check for a specific TCP sequence number.

    tcp.window

    Check for a specific TCP window size.

    ipopts

    Check if a specific IP option is set.

    tcp.flags

    Detect which flags are set in the TCP header.

    fragbits

    Check if the fragmentation and reserved bits are set in the IP header.

    fragoffset

    Match on specific decimal values of the IP fragment offset field.

    ttl

    Check for a specific IP time-to-live value.

    tos

    Match on specific decimal values of the IP header TOS field.

    itype

    Match on a specific ICMP type.

    icode

    Match on specific ICMP id-value.

    icmp_id

    Check for a ICMP ID.

    icmp_seq

    Check for a ICMP sequence number.

    dsize

    Match on the size of the packet payload.

    flow

    Match on direction and state of the flow.

    threshold

    Control the rule's alert frequency.

    metadata

    Used for logging.

    reference

    Direct to places where information about the rule can be found.

    tag

    Define tags.

    msg

    Information about the rule and the possible alert.

    content

    Match on payload content.

    uricontent

    Legacy keyword to match on the request URI buffer.

    pcre

    Match on regular expression.

    depth

    Designate how many bytes from the beginning of the payload will be checked.

    startswith

    Pattern must be at the start of a buffer (same as 'depth:<pattern len>').

    endswith

    Make sure the previous content matches exactly at the end of the buffer.

    distance

    Indicates a relation between this content keyword and the content preceding it.

    within

    Indicate that this content match has to be within a certain distance of the previous content keyword match.

    abs_offset

    Designate from which byte in the stream will be checked to find a match.

    offset

    Designate from which byte in the payload will be checked to find a match.

    replace

    Only to be used in IPS-mode.

    nocase

    Modify content match to be case insensitive.

    fast_pattern

    Force using preceding content in the multi pattern matcher.

    rawbytes

    Included to be compatible with signatures that use it.

    byte_test

    Extract <num of bytes> and perform an operation selected with <operator> against the value in <test value> at a particular <offset>.

    byte_jump

    Allow the ability to select a <num of bytes> from an <offset> and move the detection pointer to that position.

    sameip

    Check if the IP address of the source is the same as the IP address of the destination.

    geoip

    Match on the source, destination or source and destination IP addresses of network traffic, and know which country does the IP address belong to.

    ip_proto

    Match on the IP protocol in the packet-header.

    ftpbounce

    Detect FTP bounce attacks.

    isdataat

    Check if there is still data at a specific part of the payload.

    id

    Match on a specific IP ID value.

    rpc

    Match RPC procedure numbers and RPC version.

    flowvar

    Set a flow variable.

    flowint

    Operate on a per-flow integer.

    pktvar

    Define packet variables.

    noalert

    No alert will be generated by the rule.

    flowbits

    Operate on flow flag.

    hostbits

    Operate on host flag.

    ipv4-csum

    Check IPv4 checksum error.

    tcpv4-csum

    Check TCPv4 checksum error.

    tcpv6-csum

    Check TCPv6 checksum error.

    udpv4-csum

    Check UDPv4 checksum error.

    udpv6-csum

    Check UDPv6 checksum error.

    icmpv4-csum

    Check ICMPv4 checksum error.

    icmpv6-csum

    Check ICMPv6 checksum error.

    stream_size

    Match on amount of bytes of a stream.

    detection_filter

    Alert on every match after a threshold has been reached.

    dataset

    Match sticky buffer against datasets (experimental).

    datarep

    Operate on datasets (experimental).

    decode-event

    Values and conditions that are detected while decoding individual packets.

    gid

    Give different groups of signatures another ID value.

    nfq_set_mark

    Use NFQUEUE in iptables rules to send packets to Suricata.

    bsize

    Match on the length of a buffer.

    tls.version

    Match on TLS/SSL version.

    tls.subject

    Match TLS/SSL certificate Subject field.

    tls.issuerdn

    Match TLS/SSL certificate IssuerDN field.

    tls_cert_notbefore

    Match TLS certificate notBefore field.

    tls_cert_notafter

    Match TLS certificate notAfter field.

    tls_cert_expired

    Match expired TLS certificates.

    tls_cert_valid

    Match valid TLS certificates.

    tls.fingerprint

    Match TLS/SSL certificate SHA1 fingerprint.

    tls_store

    Store TLS/SSL certificate on disk.

    http_cookie

    Content modifier to match only on the HTTP cookie-buffer.

    http.cookie

    Sticky buffer to match on the HTTP Cookie/Set-Cookie buffers.

    http_method

    Content modifier to match only on the HTTP method-buffer.

    http.method

    Sticky buffer to match specifically and only on the HTTP method buffer.

    http.protocol

    Defines the http_protocol sticky buffer.

    http.start

    Defines the http_start sticky buffer.

    urilen

    Match on the length of the HTTP uri.

    http_client_body

    Content modifier to match only on HTTP request-body.

    http.request_body

    Sticky buffer to match the HTTP request body buffer.

    http_server_body

    Content modifier to match on the HTTP response-body.

    http.response_body

    Sticky buffer to match the HTTP response body buffer.

    http_header

    Content modifier to match only on the HTTP header-buffer.

    http.header

    Sticky buffer to match on the normalized HTTP header-buffer.

    http.header_names

    Defines http_header_names sticky buffer.

    http.accept

    Defines http.accept sticky buffer for the http accept header.

    http.accept_lang

    Defines http.accept_lang sticky buffer for the http accept language header.

    http.accept_enc

    Defines http.accept_enc sticky buffer for the http accept encoding header.

    http.connection

    Defines http.connection sticky buffer for the http connection header.

    http.content_len

    Defines http.content_len sticky buffer for the http content length header.

    http.content_type

    Defines http.content_type sticky buffer for the http content type header.

    http.location

    Defines http.location sticky buffer for the http location header.

    http.server

    Defines http.server sticky buffer for the http server header.

    http.referer

    Defines http.referer sticky buffer for the http referer header.

    http_raw_header

    Content modifier to match the raw HTTP header buffer.

    http.header.raw

    Sticky buffer to match the raw HTTP header buffer.

    http_uri

    Content modifier to match specifically and only on the HTTP uri-buffer.

    http.uri

    Sticky buffer to match specifically and only on the normalized HTTP URI buffer.

    http.uri.raw

    Sticky buffer to match specifically and only on the raw HTTP URI buffer.

    http_raw_uri

    Content modifier to match on the raw HTTP uri.

    http_stat_msg

    Content modifier to match on HTTP stat-msg-buffer.

    http.stat_msg

    Sticky buffer to match on the HTTP response status message.

    http_stat_code

    Content modifier to match only on HTTP stat-code-buffer.

    http.stat_code

    Sticky buffer to match only on HTTP stat-code-buffer.

    http_user_agent

    Content modifier to match only on the HTTP User-Agent header.

    http.user_agent

    Sticky buffer to match specifically and only on the HTTP User Agent buffer.

    http_host

    Content modifier to match on the HTTP hostname.

    http.host

    Sticky buffer to match on the HTTP Host buffer.

    http_raw_host

    Content modifier to match on the HTTP host header or the raw hostname from the HTTP URI.

    http.host.raw

    Sticky buffer to match on the HTTP host header or the raw hostname from the HTTP uri.

    http.request_line

    Sticky buffer to match on the HTTP request line.

    http.response_line

    Content modifier to match only on the HTTP response line.

    nfs_procedure

    Sticky buffer to match NFS procedure.

    nfs.version

    Sticky buffer to match NFS version.

    ssh.proto

    Sticky buffer to match ssh protocol.

    ssh.protoversion

    Sticky buffer to match SSH protocol version.

    ssh.software

    Sticky buffer to match SSH software.

    ssh.softwareversion

    Sticky buffer to match SSH software string.

    ssl_version

    Sticky buffer to match version of SSL/TLS record.

    ssl_state

    Sticky buffer to match the state of the SSL connection.

    byte_extract

    Extract <num of bytes> at a particular <offset> and store it in <var_name>.

    file.data

    Make content keywords match on file data.

    pkt_data

    Reset the detection pointer to the beginning of the packet payload.

    app-layer-event

    Match on events generated by the App Layer Parsers and the protocol detection engine.

    dcerpc.iface

    Match on the value of the interface UUID in a DCERPC header.

    dcerpc.opnum

    Match on one or many operation numbers and/or operation number range within the interface in a DCERPC header.

    dcerpc.stub_data

    Match on the stub data in a given DCERPC packet. It is a 'sticky buffer'.

    smb.named_pipe

    Sticky buffer to match on SMB named pipe in tree connect.

    smb.share

    Sticky buffer to match on SMB share name in tree connect.

    asn1

    Is a standard notation to structure and describe data.

    engine-event

    A record of a detection event in the Suricata intrusion detection system.

    stream-event

    Rules for matching on TCP stream engine events.

    filename

    Match on the file name.

    file.name

    Sticky buffer to match on the file name.

    fileext

    Match on the extension of a file name.

    filestore

    Stores files to disk if the rule matched.

    filemagic

    Match on the information libmagic returns about a file.

    file.magic

    Sticky buffer to match on the file magic.

    filemd5

    Match file MD5 against list of MD5 checksums.

    filesha1

    Match file SHA-1 against list of SHA-1 checksums.

    filesha256

    Match file SHA-256 against list of SHA-256 checksums.

    filesize

    Match on the size of the file as it is being transferred.

    l3_proto

    Specify if the signature has to match on IPv4, IPv6 or both.

    lua

    Match using a lua script.

    iprep

    Match on the IP reputation information for a host.

    dns.query

    Sticky buffer to match DNS query-buffer.

    dns.opcode

    Match the DNS header opcode flag.

    tls.sni

    Content modifier to match specifically and only on the TLS SNI buffer.

    tls.certs

    Content modifier to match the TLS certificate sticky buffer.

    tls.cert_issuer

    Content modifier to match specifically and only on the TLS cert issuer buffer.

    tls.cert_subject

    Content modifier to match specifically and only on the TLS cert subject buffer.

    tls.cert_serial

    Content modifier to match the TLS cert serial buffer.

    tls.cert_fingerprint

    Match on the TLS cert fingerprint buffer.

    ja3.hash

    Content modifier to match the JA3 hash buffer.

    ja3.string

    Content modifier to match the JA3 string buffer.

    ja3s.hash

    Content modifier to match the JA3S hash sticky buffer.

    ja3s.string

    Content modifier to match the JA3S string sticky buffer.

    modbus

    Match on various properties of Modbus requests.

    cip_service

    Match on CIP Service.

    enip_command

    Rules for detecting EtherNet/IP command.

    dnp3.data

    Make the following content options to match on the re-assembled application buffer.

    dnp3_func

    Match on the application function code found in DNP3 request and responses.

    dnp3_ind

    Match on the DNP3 internal indicator flags in the response application header.

    dnp3_obj

    Match on the DNP3 application data objects.

    xbits

    Operate on bits.

    base64_decode

    Decodes base64 encoded data.

    base64_data

    Content match base64 decoded data.

    krb5_err_code

    Match Kerberos 5 error code.

    krb5_msg_type

    Match Kerberos 5 message type.

    krb5.cname

    Sticky buffer to match on Kerberos 5 client name.

    krb5.sname

    Sticky buffer to match on Kerberos 5 server name.

    sip.method

    Sticky buffer to match on the SIP method buffer.

    sip.uri

    Sticky buffer to match on the SIP URI.

    sip.protocol

    Sticky buffer to match on the SIP protocol.

    sip.stat_code

    Sticky buffer to match on the SIP status code.

    sip.stat_msg

    Sticky buffer to match on the SIP status message.

    sip.request_line

    Sticky buffer to match on the SIP request line.

    sip.response_line

    Sticky buffer to match on the SIP response line.

    template2

    Template.

    ipv4.hdr

    Sticky buffer to match on the IPV4 header.

    ipv6.hdr

    Sticky buffer to match on the IPV6 header.

    tcp.hdr

    Sticky buffer to match on the TCP header.

    udp.hdr

    Sticky buffer to match on the UDP header.

    tcp.mss

    Sticky buffer to match on TCP MSS option field.

    ftpdata_command

    Match FTP command triggering a FTP data channel.

    target

    Indicate to output module which side is the target of the attack.

    snmp.version

    Match SNMP version.

    snmp.community

    SNMP content modifier to match on the SNMP community.

    snmp.pdu_type

    Match SNMP PDU type.

    bypass

    Call the bypass callback when the match of a sig is complete.

    prefilter

    Force a condition to be used as prefilter.

    compress_whitespace

    Modify buffer to compress consecutive whitespace characters into a single one before inspection.

    strip_whitespace

    Modify buffer to strip whitespace before inspection.

    to_md5

    Convert to md5 hash of the buffer.

    to_sha1

    Convert to sha1 hash of the buffer.

    to_sha256

    Convert to sha256 hash of the buffer.

    dotprefix

    Modify buffer to extract the dotprefix.

    nopcap

    Avoid pcap content snipping from flows upon alerts.

Procedure

  1. From the NSX Manager go to the Security > IDS/IPS & Malware Prevention (under Policy Management section).
  2. On the IDS/IPS & Malware Prevention page, go to the Signature Management tab and select Custom Signatures.
  3. Click Add and choose the Load from File option.
  4. If you have previously uploaded a signature bundle, be aware that all signatures will be replaced by the new bundle you are about to upload. Therefore, export the existing bundle to your computer, update it with the new signatures, and then upload the modified bundle.
  5. If you are uploading a custom signature bundle for the first time, on the Define New Signature Set window, enter a signature name and select a signature bundle by browsing to the location on your computer. Click Validate.
  6. Before you publish the signatures, note that only Valid and explicitly selected Warning signatures are published to transport nodes and NSX Edges.
    Note:

    Invalid signatures and unselected Warning signatures are not published to transport nodes and NSX Edges.

  7. Click Publish. A new signature bundle that is not yet published can still be reverted and can keep the existing signatures. You can revert the unpublished signature from NSX Manager UI.