https://community.cisco.com/t5/network-security/ips-custom-signature-http-not-found/m-p/709400#M92309 <HTML><HEAD></HEAD><BODY><P>Thank you very much, it works. </P><P></P></BODY></HTML> Tue, 26 Sep 2006 15:37:47 GMT csiszerakos2 2006-09-26T15:37:47Z https://community.cisco.com/t5/network-security/ips-custom-signature-http-not-found/m-p/709396#M92302 <P>Hi,</P><P></P><P>I would like to create a signature which fires when a server reports HTTP Not found.</P><P>For testing purposes I have used space ([\x20]) for matching regexp. It does not work. When I </P><P>set the direction from "from-service" to "to-service" it works. Does someone have an idea? </P><P>There are no filters. </P><P></P><P>The signature is the following:</P><P></P><P> sig-id: 60008</P><P> subsig-id: 0</P><P> -----------------------------------------------</P><P> alert-severity: medium default: medium</P><P> sig-fidelity-rating: 100 default: 75</P><P> promisc-delta: 10 default: 0</P><P> sig-description</P><P> -----------------------------------------------</P><P> sig-name: HTTP not found v2 default: My Sig</P><P> sig-string-info: HTTP not found default: My Sig Info</P><P> sig-comment: Sig Comment default: Sig Comment</P><P> alert-traits: 0 default: 0</P><P> release: custom default: custom</P><P> -----------------------------------------------</P><P> engine</P><P> -----------------------------------------------</P><P> string-tcp</P><P> -----------------------------------------------</P><P> event-action: produce-alert default: produce-alert</P><P> strip-telnet-options: false default: false</P><P> specify-min-match-length</P><P> -----------------------------------------------</P><P> no</P><P> -----------------------------------------------</P><P> -----------------------------------------------</P><P> -----------------------------------------------</P><P> regex-string: [\x20]</P><P> service-ports: 80</P><P> direction: from-service default: to-service</P><P> specify-exact-match-offset</P><P> -----------------------------------------------</P><P> no</P><P> -----------------------------------------------</P><P> specify-max-match-offset</P><P> -----------------------------------------------</P><P> no</P><P> -----------------------------------------------</P><P> -----------------------------------------------</P><P> -----------------------------------------------</P><P> specify-min-match-offset</P><P> -----------------------------------------------</P><P> no</P><P> -----------------------------------------------</P><P> -----------------------------------------------</P><P> -----------------------------------------------</P><P> -----------------------------------------------</P><P> -----------------------------------------------</P><P> swap-attacker-victim: false default: false</P><P> -----------------------------------------------</P><P> -----------------------------------------------</P><P> event-counter</P><P> -----------------------------------------------</P><P> event-count: 1 default: 1</P><P> event-count-key: Axxx default: Axxx</P><P> specify-alert-interval</P><P> -----------------------------------------------</P><P> no</P><P> -----------------------------------------------</P><P> -----------------------------------------------</P><P> -----------------------------------------------</P><P></P> Sun, 10 Mar 2019 10:14:28 GMT https://community.cisco.com/t5/network-security/ips-custom-signature-http-not-found/m-p/709396#M92302 csiszerakos2 2019-03-10T10:14:28Z https://community.cisco.com/t5/network-security/ips-custom-signature-http-not-found/m-p/709397#M92303 <HTML><HEAD></HEAD><BODY><P>The "from-service" just means the signature fires when the source port is 80. The default, "to-service", fires only if you are connecting to a destination port of 80. Basically the "from-service" fires on return web traffic only, which is what should happen. Not sure why they made the default "to-service" (doesn't make much sense).</P></BODY></HTML> Mon, 25 Sep 2006 20:19:19 GMT https://community.cisco.com/t5/network-security/ips-custom-signature-http-not-found/m-p/709397#M92303 jwalker 2006-09-25T20:19:19Z https://community.cisco.com/t5/network-security/ips-custom-signature-http-not-found/m-p/709398#M92305 <HTML><HEAD></HEAD><BODY><P>Yes, you are right. I want to check traffic ("Not found") in packetes which source port is tcp/80. I think "from-service" should be used as seen in the config. (I hope default: to-service just means that the default setting is to-service, but now the setting is "from-service") </P></BODY></HTML> Tue, 26 Sep 2006 05:46:24 GMT https://community.cisco.com/t5/network-security/ips-custom-signature-http-not-found/m-p/709398#M92305 csiszerakos2 2006-09-26T05:46:24Z https://community.cisco.com/t5/network-security/ips-custom-signature-http-not-found/m-p/709399#M92307 <HTML><HEAD></HEAD><BODY><P>Take a look at 6256-0 for an example of how Cisco does this. That signature detects HTTP status code 401. Clone and change to 404 and you're in business. You'll want to tweak the event count and alert frequency settings of course.</P></BODY></HTML> Tue, 26 Sep 2006 14:15:57 GMT https://community.cisco.com/t5/network-security/ips-custom-signature-http-not-found/m-p/709399#M92307 mhellman 2006-09-26T14:15:57Z https://community.cisco.com/t5/network-security/ips-custom-signature-http-not-found/m-p/709400#M92309 <HTML><HEAD></HEAD><BODY><P>Thank you very much, it works. </P><P></P></BODY></HTML> Tue, 26 Sep 2006 15:37:47 GMT https://community.cisco.com/t5/network-security/ips-custom-signature-http-not-found/m-p/709400#M92309 csiszerakos2 2006-09-26T15:37:47Z