Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
769
Views
4
Helpful
2
Replies

cisco IPS skipfish detection

ngtransge
Level 1
Level 1

‎01-26-2013 08:47 AM - edited ‎03-10-2019 05:52 AM

Hello,

Is there any signature to detect skipfish kind of application with Cisco IPS, when web server is running https ?

Or is it possible to write own custom signatures and with engine will do that ?

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎01-27-2013 06:39 AM

When your site is running HTTPS, then your IPS doesn't have any insight into the L7-communication. But that's needed to see what an Web-application-scanner is doing.

I've implemented a workaround for a similar situation the following way with the ASA-IPS-module:

You deploy two DMZs: One with an HTTPS terminating reverse-proxy. This reverse-proxy forwards the traffic to the real HTTP-Server in another DMZ. Now you can inspect the cleartext-traffic between the Proxy-DMZ and the Server-DMZ with the ASA-IPS. With an IPS-appliance you could plug a promiscous interface into the server DMZ to only see the clear traffic.

After the sensor sees the clear-text, there are numerous build-in signatures to detect these scannings.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

anikapur
Level 1
Level 1
In response to Karsten Iwen

‎01-27-2013 09:34 PM

If you have a load balancer with virtual sensor support, the IPS can be placed between two virtual sensors.  The virtual sensor decrypts and forwards traffic to the IPS.  The IPS forwards the traffic to the second virtual sensor which re-encrypts the flow.

0 Helpful
Review Cisco Networking for a $25 gift card
Top