01-26-2013 08:47 AM - edited 03-10-2019 05:52 AM
Hello,
Is there any signature to detect skipfish kind of application with Cisco IPS, when web server is running https ?
Or is it possible to write own custom signatures and with engine will do that ?
01-27-2013 06:39 AM
When your site is running HTTPS, then your IPS doesn't have any insight into the L7-communication. But that's needed to see what an Web-application-scanner is doing.
I've implemented a workaround for a similar situation the following way with the ASA-IPS-module:
You deploy two DMZs: One with an HTTPS terminating reverse-proxy. This reverse-proxy forwards the traffic to the real HTTP-Server in another DMZ. Now you can inspect the cleartext-traffic between the Proxy-DMZ and the Server-DMZ with the ASA-IPS. With an IPS-appliance you could plug a promiscous interface into the server DMZ to only see the clear traffic.
After the sensor sees the clear-text, there are numerous build-in signatures to detect these scannings.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-27-2013 09:34 PM
If you have a load balancer with virtual sensor support, the IPS can be placed between two virtual sensors. The virtual sensor decrypts and forwards traffic to the IPS. The IPS forwards the traffic to the second virtual sensor which re-encrypts the flow.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide