False negative for bearshare (11004)

darin.marais · ‎08-30-2006

In the IPS there is a signature for bearshare (11004).

I have downloaded the latest version of bearshare -version 6.0 and tested it against the IPS. It seams that the writers of the software have changed their approach as the IPS is unable to detect the file download.

Is there someone from Cisco on this list that would be able to work with me to develop a new signature?

darin.marais · ‎08-30-2006

I would like to stop the ?bearshare login? from happening.

I have captured a packet of data and the packet contains

Hypertext Transfer Protocol

POST /registration/account.php?function=login HTTP/1.1\r\n

Request Method: POST

Request URI: /registration/account.php?function=login

Request Version: HTTP/1.1

1. How will the custom signature and the regex look in order to alert and deny the following string?

2. Must I use the string.http engine?

mhellman · ‎08-30-2006

1. Take a look at 3101-1 for simple URL based example. You might even clone it to start your new sig. What you captured above does not include the full URL or the actual POST'ed data though. You might be able to tighten up the signature based on that data.

2. did you have another engine in mind? This engine lets you perform regex matches on specific parts of an HTTP request, so it seems like the best choice.

Does your outbound web traffic go through a proxy and do you do any outbound URL filtering? That is typically the best way to block HTTP traffic.