NSX-T Data Center REST API

List IDS Custom Signatures

List IDS Custom Signatures.
This API is only available when using VMware NSX.

Request:

Method:
GET
URI Path(s):
/policy/api/v1/infra/settings/firewall/security/intrusion-services/custom-signature-versions/{version-id}/custom-signatures
/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/settings/firewall/security/intrusion-services/custom-signature-versions/{version-id}/custom-signatures
Request Headers:
n/a
Query Parameters:
IdsCustomSignatureListRequestParameters+
Request Body:
n/a

Successful Response:

Response Code:
200 OK
Response Headers:
Content-type: application/json
Response Body:
IdsCustomSignatureListResult+

Example Response:

{ "results": [ { "resource_type": "IdsCustomSignaturePreview", "id": "1001061397", "path": "/infra/settings/firewall/security/intrusion-services/custom-signature-versions/Test/signatures-preview/1001061397", "relative_path": "1001061397", "parent_path": "/infra/settings/firewall/security/intrusion-services/custom-signature-versions/Test", "marked_for_delete": false, "overridden": false, "name": "NSX - (Initial Access) Detect CVE-2014-6332", "class_type": "attempted-user", "severity": "HIGH", "signature_revision": "3565", "signature_id": "1001061397", "categories": [ "APPLICATION" ], "cvssv3": "0.0", "cvssv2": "9.3", "attack_target": "Client_Endpoint", "product_affected": "NONE", "cves": [ "2014-6332" ], "flow": "established,to_server", "action": "reject", "enable": true, "impact": "52", "risk_score": "75", "confidence": "70", "mitre_attack": [ { "tactic_url": "https://attack.mitre.org/tactics/TA0001/", "tactic_name": "Initial Access", "technique_name": "Drive-by Compromise", "technique_url": "https://attack.mitre.org/techniques/T1189/" } ], "signature": "reject http $HOME_NET any -> $EXTERNAL_NET any (msg:\"NSX - (Initial Access) Detect CVE-2014-6332\"; flow:established,to_server; target:src_ip; content:\"GET\"; nocase; http_method; content:\"?MTIzNDU2\"; http_uri; pcre:\"/\/\\?MTIzNDU2[A-Za-z0-9+\/=]*&d=[a-z0-9]{32} HTTP/\"; flowbits:set,LL.verifier_http_successful; flowbits:set,LL.verifier_http_failed; flowbits:set,LL.verifier_http_blocked; threshold: type limit, track by_src, seconds 180, count 1; metadata:ll_expected_verifier default, flip_endpoints False, server_side False, threat_class_name drive-by, threat_name CVE-2014-6332, ids_mode REAL, blacklist_mode DISABLED, exploited None, confidence 70, severity 75, detector_id 61397, signature_severity High; reference:url,www.lastline.com; classtype:attempted-user; sid:1061397; rev:3565; priority:2;)", "original_signature_id": "1061397", "validation_status": "WARNING", "_system_owned": false, "_protection": "NOT_PROTECTED", "_create_time": 1717741995216, "_create_user": "admin", "_last_modified_time": 1717741995216, "_last_modified_user": "admin", "_revision": 0 }, { "resource_type": "IdsCustomSignaturePreview", "id": "1001060933", "path": "/infra/settings/firewall/security/intrusion-services/custom-signature-versions/Test/signatures-preview/1001060933", "relative_path": "1001060933", "parent_path": "/infra/settings/firewall/security/intrusion-services/custom-signature-versions/Test", "marked_for_delete": false, "overridden": false, "name": "NSX - Detect Zeus activity", "class_type": "trojan-activity", "severity": "CRITICAL", "signature_revision": "3007", "signature_id": "1001060933", "categories": [ "APPLICATION" ], "cvssv3": "0.0", "cvssv2": "0.0", "attack_target": "Client_Endpoint", "product_affected": "NONE", "flow": "established,to_client", "action": "reject", "enable": false, "impact": "80", "risk_score": "100", "confidence": "80", "signature": "reject http $EXTERNAL_NET any -> $HOME_NET any (msg:\"NSX - Detect Zeus activity\"; flow:established,to_client; target:dest_ip; content:\"|00 00 00 00 8D|L|C8 15 F6|dps|C7|VQ5|03|C|DD|&\"; pcre:\"/^\\x00\\x00\\x00\\x00\\x8DL\\xC8\\x15\\xF6dps\\xC7VQ5\\x03C\\xDD&/Q\"; threshold: type limit, track by_dst, seconds 180, count 1; metadata:ll_verifier_outcome successful, flip_endpoints True, server_side False, threat_class_name command&control, threat_name Zeus Variant, ids_mode REAL, blacklist_mode REAL, exploited None, confidence 80, severity 100, detector_id 60921, signature_severity Critical; reference:url,www.lastline.com; classtype:trojan-activity; sid:1060921; rev:3007; priority:1;)", "original_signature_id": "1060933", "validation_status": "INVALID", "validation_message": "test message", "_system_owned": false, "_protection": "NOT_PROTECTED", "_create_time": 1717741995213, "_create_user": "admin", "_last_modified_time": 1717741995213, "_last_modified_user": "admin", "_revision": 0 }, { "resource_type": "IdsCustomSignaturePreview", "id": "1001060921", "path": "/infra/settings/firewall/security/intrusion-services/custom-signature-versions/Test/signatures-preview/1001060921", "relative_path": "1001060921", "parent_path": "/infra/settings/firewall/security/intrusion-services/custom-signature-versions/Test", "marked_for_delete": false, "overridden": false, "name": "NSX - Detect Zeus activity", "class_type": "trojan-activity", "severity": "CRITICAL", "signature_revision": "3007", "signature_id": "1001060921", "categories": [ "APPLICATION" ], "cvssv3": "0.0", "cvssv2": "0.0", "attack_target": "Client_Endpoint", "product_affected": "NONE", "flow": "established,to_client", "action": "reject", "enable": true, "impact": "80", "risk_score": "100", "confidence": "80", "signature": "reject http $EXTERNAL_NET any -> $HOME_NET any (msg:\"NSX - Detect Zeus activity\"; flow:established,to_client; target:dest_ip; content:\"|00 00 00 00 8D|L|C8 15 F6|dps|C7|VQ5|03|C|DD|&\"; pcre:\"/^\\x00\\x00\\x00\\x00\\x8DL\\xC8\\x15\\xF6dps\\xC7VQ5\\x03C\\xDD&/Q\"; threshold: type limit, track by_dst, seconds 180, count 1; metadata:ll_verifier_outcome successful, flip_endpoints True, server_side False, threat_class_name command&control, threat_name Zeus Variant, ids_mode REAL, blacklist_mode REAL, exploited None, confidence 80, severity 100, detector_id 60921, signature_severity Critical; reference:url,www.lastline.com; classtype:trojan-activity; sid:1060921; rev:3007; priority:1;)", "original_signature_id": "1060921", "validation_status": "VALID", "_system_owned": false, "_protection": "NOT_PROTECTED", "_create_time": 1717741995211, "_create_user": "admin", "_last_modified_time": 1717741995211, "_last_modified_user": "admin", "_revision": 0 }, { "resource_type": "IdsCustomSignaturePreview", "id": "1001061571", "path": "/infra/settings/firewall/security/intrusion-services/custom-signature-versions/Test/signatures-preview/1001061571", "relative_path": "1001061571", "parent_path": "/infra/settings/firewall/security/intrusion-services/custom-signature-versions/Test", "marked_for_delete": false, "overridden": false, "name": "NSX - (Initial Access) Detect transfer of the Metasploit payload windows/x64/vncinject/reverse_tcp_uuid", "class_type": "attempted-user", "severity": "HIGH", "signature_revision": "1", "signature_id": "1001061571", "categories": [ "APPLICATION" ], "cvssv3": "0.0", "cvssv2": "0.0", "attack_target": "Client_Endpoint", "product_affected": "NONE", "flow": "established,to_client", "action": "reject", "enable": true, "impact": "52", "risk_score": "75", "confidence": "70", "mitre_attack": [ { "tactic_url": "https://attack.mitre.org/tactics/TA0001/", "tactic_name": "Initial Access", "technique_name": "Exploit Public-Facing Application", "technique_url": "https://attack.mitre.org/techniques/T1190/" } ], "signature": "reject tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"NSX - (Initial Access) Detect transfer of the Metasploit payload windows/x64/vncinject/reverse_tcp_uuid\"; flow:established,to_client; target:dest_ip; content:\"|FC|H|83 E4 F0 E8 CC 00 00 00|AQAPR\"; content:\"QVH1|D2|eH|8B|R|60|H|8B|R|18|H\"; content:\"|8B|R H|8B|rPH|0F B7|JJM1|C9|\"; content:\"H1|C0 AC| $EXTERNAL_NET any (msg:\"NSX - Detect Fareit\"; flow:established,to_server; target:src_ip; content:\"POST /\"; content:\"news.php\"; content:\"HTTP/\"; content:\"Host|3A|\"; content:\"Accept|3A| |2A|/|2A|\"; content:\"Connection|3A| close\"; content:\"Content-Encoding|3A| binary\"; content:!\"Referer|3A|\"; pcre:\"/\\xFF/P\"; flowbits:set,LL.verifier_http_successful; flowbits:set,LL.verifier_http_failed; flowbits:set,LL.verifier_http_blocked; threshold: type limit, track by_src, seconds 180, count 1; metadata:ll_expected_verifier default, flip_endpoints False, server_side False, threat_class_name command&control, threat_name Fareit, ids_mode REAL, blacklist_mode REAL, exploited None, confidence 85, severity 100, detector_id 60759, signature_severity Critical; reference:url,www.lastline.com; classtype:trojan-activity; sid:1060759; rev:2778; priority:1;)", "original_signature_id": "1060759", "validation_status": "VALID", "_system_owned": false, "_protection": "NOT_PROTECTED", "_create_time": 1717741995213, "_create_user": "admin", "_last_modified_time": 1717741995213, "_last_modified_user": "admin", "_revision": 0 } ], "result_count": 5, "sort_by": "display_name", "sort_ascending": true }

Required Permissions:

read

Feature:

policy_common_ids

Additional Errors: