I need a solution
I have a very simple IPS rule for identifying traffic on port 53/udp (DNS). I am hoping that this rule will aid in determining root source machines for various malicious site lookups. Unfortunately I cannot get the signature to trigger on anything. I attempted to go through support and was told custom IPS signatures are not supported.
So, has anyone had any luck creating a custom IPS signature for udp traffic?
My example rule.
Name: AppleTest
Description:test sig
Secerity: 0-critical
Direction: Both
Content: rule udp, dest=(53), saddr=$LOCALHOST, msg="Fake_Apple_DNS", content="apple.com"
Action: Block and Write to Packet Log