IDS mailing list archives
RE: Cisco IPS 5.1
From: "Nick Smith (nicksmi)" <nicksmi () cisco com>
Date: Tue, 21 Nov 2006 13:54:57 -0800
The best engine to use to detect this type of activity would be Service HTTP. Be sure to use #WEBPORTS as your service port detection range to ensure efficiency. Using the IDM, you can see that Service HTTP has many regexes available for use. A regex looks in a certain part of the HTTP request and if it matches the pattern you enter, it triggers the configured action, such as firing an alert. The regex you want to use for looking for a specific Content-Type would be the header regex. In there, you would enter, [Cc][Oo][Nn][Tt][Ee][nN][Tt][-][Tt][Yy][pP][Ee][:]\x20? and then the type you are looking for. So if you are looking for image/gif, your regex would be: [Cc][Oo][Nn][Tt][Ee][nN][Tt][-][Tt][Yy][pP][Ee][:]\x20?[Ii][Mm][Aa][Gg][ Ee][/][Gg][Ii][Ff] The []'s say that you will match anything contained therein, so in this example, it would match for any capitalization in 'content-type' and image/gif. The \x20? adds an optional space to be matched or not between 'content-type' and the type. Please let us know if you require any further assistance. Nicholas Smith Cisco IPS Signature Developer -----Original Message----- From: Velasquez Venegas Jaime Omar <jaime () ulima edu pe> Date: Nov 21, 2006 6:34 AM Subject: Cisco IPS 5.1 To: focus-ids () securityfocus com I'm tryng to build a customized signature on Cisco IPS 5.1 so it can detect an specific content-type in http header. I did my research and found that i should use an http inspection engine built in Cisco IPS and a command called regex. An example of this would be very helpful. Thanks ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Cisco IPS 5.1 Velasquez Venegas Jaime Omar (Nov 21)
- <Possible follow-ups>
- RE: Cisco IPS 5.1 Gary Halleen (ghalleen) (Nov 22)
- RE: Cisco IPS 5.1 Nick Smith (nicksmi) (Nov 22)
- RE: Cisco IPS 5.1 Velasquez Venegas Jaime Omar (Nov 22)
- Re: Cisco IPS 5.1 Sanjay R (Nov 23)