cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
765
Views
4
Helpful
2
Replies

cisco IPS skipfish detection

ngtransge
Level 1
Level 1

Hello,

Is there any signature to detect skipfish kind of application with Cisco IPS, when web server is running https ?

Or is it possible to write own custom signatures and with engine will do that ?

2 Replies 2

When your site is running HTTPS, then your IPS doesn't have any insight into the L7-communication. But that's needed to see what an Web-application-scanner is doing.

I've implemented a workaround for a similar situation the following way with the ASA-IPS-module:

You deploy two DMZs: One with an HTTPS terminating reverse-proxy. This reverse-proxy forwards the traffic to the real HTTP-Server in another DMZ. Now you can inspect the cleartext-traffic between the Proxy-DMZ and the Server-DMZ with the ASA-IPS. With an IPS-appliance you could plug a promiscous interface into the server DMZ to only see the clear traffic.

After the sensor sees the clear-text, there are numerous build-in signatures to detect these scannings.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

If you have a load balancer with virtual sensor support, the IPS can be placed between two virtual sensors.  The virtual sensor decrypts and forwards traffic to the IPS.  The IPS forwards the traffic to the second virtual sensor which re-encrypts the flow.

Review Cisco Networking for a $25 gift card