: What’s New in the IPS Signature Converter Plugin 1.0.7
Focus
Focus

What’s New in the IPS Signature Converter Plugin 1.0.7

Table of Contents

What’s New in the IPS Signature Converter Plugin 1.0.7

Learn about the enhancements in the IPS Signature Converter plugin 1.0.7.
The IPS signature converter version 1.0.7 introduces the following capabilities:
FeatureDescription
Support for Startswith and Endswith keywords
For better coverage of threats identified by Suricata rules, the converter now supports the following payload keywords:
  • startswith
  • endswith
The startswith and endswith keywords are ignored to prevent false-postives that might occur [due to pattern match discrepancies].
Both keywords accept no arguments and must follow the content keyword.
Example usage for startswith, which modifies the content to match at the start of the buffer:
content:"GET|20|"; startswith;
startswith is shorthand notation for:
content:"GET|20|"; depth:4; offset:0;
Example usage for endswith, which modifies the content to match at the end of the buffer:
content:".php"; endswith;
Support DNS protocol and keyword dns_query
For coverage of DNS-based threats contained in DNS requests, you can now convert Snort and Suricata rules that use the DNS protocol, which can be used in conjunction with the new keyword dns_query to inspect DNS request queries.
The dns_query keyword requires the installation of content update 8770-8365 or later. Refer to Install Content Updates for more information about installing the Applications and Threats content update package.
Example rule to detect DNS queries contained in DNS traffic:
alert dns any any -> any any (msg:”Test dns_query option”; dns_query; content:”google”; nocase; sid:1;)
  • dns_query referenced above is operationally equivalent to the newer dns.query.
  • When dns_query is used in a rule, all contents following it are affected.