Customized SERVICE HTTP signatures
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2005 08:56 AM - edited 03-10-2019 01:47 AM
Starting this thread to gather inputs on creating custom HTTP signatures to detect specific URL sites. Has anyone used the regex in IPS 5.x to specify certain web URL to log or deny ?
Ex: Signature that can detect, log or block www.yahoo.com
- Labels:
-
IPS and IDS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2005 09:04 AM
Here is one example, please share others:
the URI is the stuff after the URL:
Example:
www.cisco.com/index.cgi?name=billy
The URI is: /index.cgi?name=bily
The host field in http header is:
So look for [Ww][Ww][Ww][.][Cc][Ii][Ss][Cc][Oo][.][Cc][Oo][Mm] in the header section and if you know the rest of the URL you can append that section in the URI:
[\x2f\x5c][Ii][Nn][Dd][Ee][Xx][.][Cc][Gg][Ii]
