The following tips and concepts are useful when creating UDS signatures:
-
The UDS creation tool is designed to handle special emergent requests. It's not a massive attack signature writing tool. Technical Support recommends that you don't use it for a large number of signatures.
-
Understand the vulnerability itself and what's normal and abnormal. A better understanding of the attack and how it works allows for more accurate UDS creation. Running the vulnerability in a test lab with packet capturing tools can also provide valuable information as to how the attack works.
-
Balance the number of conditions in the UDS with the performance impact caused by more complex signatures. More conditions in a UDS help avoid false positives. But, the more complex the signature, the greater the impact is on the performance of the Sensor. Signature creation requires a balance of resource use against the possibility of false detections.
-
Use
<andthen> instead of
<and> conditions to enforce the order of the events (conditions).
-
Use
^ or $ to limit the occurrence of the beginning or end of the string.
