IDS mailing list archives
RE: Cisco IPS 5.1
From: "Gary Halleen (ghalleen)" <ghalleen () cisco com>
Date: Tue, 21 Nov 2006 13:20:56 -0800
Velasquez, There are several ways to use Regex, or Regular Expressions, into a Cisco IPS signature. Here are the ways to use it with the service-http engine: 1. URI Regex: Regular expression to search in the URI field. The URI field is defined as after the HTTP method (i.e. GET, POST) and before the first CRLF. 2. Arg Name Regex: Regular expression to search in the HTTP arguments field (variable names within form input, for instance). This is defined as after the '?' and in the entity body as defined by Content-Length. 3. Arg Value Regex: Regular expression to search in the HTTP arguments field after Arg Name Regex is matched. This is searching on the value defined by the variable name, above. 4. Header Regex: Regular expression to search in the HTTP header. The header is defined as after the first CRLF, but before CRLFCRLF. 5. Request Regex: Regular expression to search in both the HTTP URI and HTTP arguments fields. In addition to these regex values, you can also specify maximum lengths of URI, arguments, header, and request. If you have specific things you're looking for, I'd be more than happy to help you with the signature. Additionally, our TAC is able to assist in custom signature creation. Gary -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Velasquez Venegas Jaime Omar Sent: Tuesday, November 21, 2006 4:35 AM To: focus-ids () securityfocus com Subject: Cisco IPS 5.1 I'm tryng to build a customized signature on Cisco IPS 5.1 so it can detect an specific content-type in http header. I did my research and found that i should use an http inspection engine built in Cisco IPS and a command called regex. An example of this would be very helpful. Thanks ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Cisco IPS 5.1 Velasquez Venegas Jaime Omar (Nov 21)
- <Possible follow-ups>
- RE: Cisco IPS 5.1 Gary Halleen (ghalleen) (Nov 22)
- RE: Cisco IPS 5.1 Nick Smith (nicksmi) (Nov 22)
- RE: Cisco IPS 5.1 Velasquez Venegas Jaime Omar (Nov 22)
- Re: Cisco IPS 5.1 Sanjay R (Nov 23)