Custom Signature Help!

pmacdanel · ‎03-08-2005

No matter what I try I cannot get the IDS to fire an alarm on a custom service.http signature I'm trying to write. All I want is an alarm to fire when an internet user tries to issue an http request: PUT /index.htm

No matter where I add the RegEx or what field I put it in it doesn't fire. Maybe I'm putting in the wrong RegEx (needs to be case insensitive) ??

Help!

mkodali · ‎03-09-2005

What version of the IDS software are you running. Can you paste the parameters of the regex field on your custom sig?

pmacdanel · ‎03-09-2005

Hi sure thing:

4.1-4 S150

RequestRegex: [Pp][Uu][Tt].*[/][Ii][Nn][Dd][Ee][Xx][.][Hh][Tt][Mm]

Everything else in the service.hhtp custom sig is default..

My understanding is that the RequestRegex field will match any RegEx found in the entire HTTP request, is there a more appropriate field that can be used and is this matching expression sufficent? Thanks!

mcerha · ‎03-09-2005

The service.http engine will not allow you specify the HTTP method used. The engine does interprets GET, POST and HEAD requests, but the method is not user accessible. The RequestRegex parameter actually starts at the beginning of the URI. To accomplish what you want, you'll need to use the string.tcp engine. The string engine is less specialized then the HTTP engine, but it's alittle more flexible in what you need. You can use the same regex.

mkodali · ‎03-09-2005

Please note that the next release of IDS which is 5.0 will have built in sigs under Application Inspection Engine to block and alert on seeing the methods like PUT, POST, HEAD, etc. in the web requests.