I just need a little help with one simple custom signature.
I am running a ASA-SSM-10 on a ASA5520.
IPS Version: 7.0(7)E4
I've been trying to customized a signature to send/log alerts if someone is accessing www.dropbox.com and can't get it to work.
I have read multiple posts and ended up configuring the custom signature like this: (based on Cisco 3204 signature)
Using engine == Service-HTTP
URI regex == [.][Dd][Rr][Oo][Pp][Bb][Oo][Xx]
service ports == #WEBPORTS
The status is enabled and the Event action is Produce Alert.
Am I missing something? I am not getting any alerts.
I have attached a screenshot of the custom sig.
Any help will be great, thanks in advance.
That can't work as Dropbox is using HTTPS and the IPS can't look into these encrypted sessions. Your signature will only work for sessions that use plain HTTP.
Actually, "dropbox.com" will appear in the Hostname in the traffic, but in the custom signature, you are using uri-regex. If you change it to header-regex, it might work.
Secondly, we have sig 38686 subsigs 0 and 1 to detect Dropbox usage. Subsig 0 in service-http is what you might be looking for. These sigs were released in S604.
Hope this helps,