05-10-2006 10:51 PM - edited 03-10-2019 03:00 AM
Can someone please explain briefly when should I use the HTTP/FTP AIC signature engine over any other type?
I ask this question because for instance the FTP commands can be looked for in either String TCP engine, Atomic TCP or FTP AIC engine, but which one is best and why?
05-11-2006 02:30 AM
The AIC HTTP/FTP analize more specific details related whith the services that de Service FTP, Service HTTP, (and much more than atomic signature) like what kind of objects can you download or not from a web server (image, video, audio, etc) or what kind of commands are performed in a FTP connection (you can analize much more details in HTTP connection, but in FTP connection only commands analisys are allowed)
You can use AIC to analize specific things after the session was established and want to control what the user do with your web server.
Use the HTTP service to find kinds of attacks like buffer overflows, or specifics attacks in the URL request like directory traversal.
I hope this help (please rate if it does)
Alberto Giorgi from Spain.
05-11-2006 11:51 AM
Just to add to what Alberto has already said.
One of the distinct differences is that the AIC engines have a few signatures that can not be created in any other engines. These include:
12674 Alarm on non-http traffic
12676 Request Method Not Recognized
12686 Recognized Transfer Encoding
12673 Recognized Content Type
12900 Unrecognized FTP Command
Standard signatures will look for a string and will fire the alert when the string IS seen in the connection.
BUT the above signatures work differently. Instead of firing an alert when the string is seen, these signatures instead fire alert when NONE of the strings in the signature are seen in the connection.
In the case of 12674 the sensor will fire on web port connections that do NOT look like normal web connections (does not have a URL request). Some other protocol may being run on the standard web port. The sensor will alert on this non-web traffic on a web port and deny the connection.
Under normal signatrue writing we would have to write a signature to match every other protocol and see if it is running on a web port. That would be pretty much impossible given the number of protocols. So instead we can use this one sig and fire on everything that is NOT web traffic on a web port.
The other 4 signatures are very similar.
For example with 12676 it has a list of allowed web request methods (GET, HEAD, POST, etc...) If the sensor sees a request method that is NOT in this list, then it fires the alert (and denies the connection).
This prevents unknown web request methods from entering your network.
The other signatures listed above are similar constructed for the type of data they are built to look for.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide