https://community.cisco.com/t5/network-security/ips-custom-signature-url-alert/m-p/1994373#M54819 <HTML><HEAD></HEAD><BODY><P> OK, thank you for your quick response.</P></BODY></HTML> Mon, 06 Aug 2012 19:45:35 GMT Shannon Sutter 2012-08-06T19:45:35Z https://community.cisco.com/t5/network-security/ips-custom-signature-url-alert/m-p/1994371#M54811 <P>I just need a little help with one simple custom signature.</P><P>I am running a ASA-SSM-10 on a ASA5520.</P><P>IPS Version: 7.0(7)E4</P><P></P><DIV><DIV><P>I've been trying to customized a signature to send/log alerts if someone is accessing <A href="http://www.dropbox.com/" rel="nofollow" target="_blank">www.dropbox.com</A> and can't get it to work.</P><P>I have read multiple posts and ended up configuring the custom signature like this: (based on Cisco 3204 signature)</P><P></P><P>Using engine == <STRONG>Service-HTTP</STRONG></P><P>URI regex == <STRONG>[.][Dd][Rr][Oo][Pp][Bb][Oo][Xx]</STRONG></P><P>service ports == #<STRONG>WEBPORTS</STRONG></P><P></P><P>The status is enabled and the Event action is Produce Alert.</P><P><SPAN style="text-decoration: underline;">Am I missing something? I am not getting any alerts.</SPAN></P><P>I have attached a screenshot of the custom sig. </P><P>Any help will be great, thanks in advance.</P><P></P><P>Zeek</P></DIV></DIV> Sun, 10 Mar 2019 12:44:52 GMT https://community.cisco.com/t5/network-security/ips-custom-signature-url-alert/m-p/1994371#M54811 Shannon Sutter 2019-03-10T12:44:52Z https://community.cisco.com/t5/network-security/ips-custom-signature-url-alert/m-p/1994372#M54814 <HTML><HEAD></HEAD><BODY><P>That can't work as Dropbox is using HTTPS and the IPS can't look into these encrypted sessions. Your signature will only work for sessions that use plain HTTP.</P></BODY></HTML> Mon, 06 Aug 2012 19:33:41 GMT https://community.cisco.com/t5/network-security/ips-custom-signature-url-alert/m-p/1994372#M54814 Karsten Iwen 2012-08-06T19:33:41Z https://community.cisco.com/t5/network-security/ips-custom-signature-url-alert/m-p/1994373#M54819 <HTML><HEAD></HEAD><BODY><P> OK, thank you for your quick response.</P></BODY></HTML> Mon, 06 Aug 2012 19:45:35 GMT https://community.cisco.com/t5/network-security/ips-custom-signature-url-alert/m-p/1994373#M54819 Shannon Sutter 2012-08-06T19:45:35Z https://community.cisco.com/t5/network-security/ips-custom-signature-url-alert/m-p/1994374#M54820 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Actually, "dropbox.com" will appear in the Hostname in the traffic, but in the custom signature, you are using uri-regex. If you change it to header-regex, it might work.</P><P></P><P>Secondly, we have sig 38686 subsigs 0 and 1 to detect Dropbox usage. Subsig 0 in service-http is what you might be looking for. These sigs were released in S604.</P><P></P><P>Hope this helps,</P><P>Radhika</P></BODY></HTML> Fri, 10 Aug 2012 22:32:37 GMT https://community.cisco.com/t5/network-security/ips-custom-signature-url-alert/m-p/1994374#M54820 rupadras 2012-08-10T22:32:37Z https://community.cisco.com/t5/network-security/ips-custom-signature-url-alert/m-p/1994375#M54824 <HTML><HEAD></HEAD><BODY><P> Thanks a lot! It is what I needed to know.</P></BODY></HTML> Mon, 13 Aug 2012 14:57:05 GMT https://community.cisco.com/t5/network-security/ips-custom-signature-url-alert/m-p/1994375#M54824 Shannon Sutter 2012-08-13T14:57:05Z