08-30-2006 02:15 AM - edited 03-10-2019 03:11 AM
In the IPS there is a signature for bearshare (11004).
I have downloaded the latest version of bearshare -version 6.0 and tested it against the IPS. It seams that the writers of the software have changed their approach as the IPS is unable to detect the file download.
Is there someone from Cisco on this list that would be able to work with me to develop a new signature?
08-30-2006 04:40 AM
I would like to stop the ?bearshare login? from happening.
I have captured a packet of data and the packet contains
Hypertext Transfer Protocol
POST /registration/account.php?function=login HTTP/1.1\r\n
Request Method: POST
Request URI: /registration/account.php?function=login
Request Version: HTTP/1.1
1. How will the custom signature and the regex look in order to alert and deny the following string?
2. Must I use the string.http engine?
08-30-2006 07:54 AM
1. Take a look at 3101-1 for simple URL based example. You might even clone it to start your new sig. What you captured above does not include the full URL or the actual POST'ed data though. You might be able to tighten up the signature based on that data.
2. did you have another engine in mind? This engine lets you perform regex matches on specific parts of an HTTP request, so it seems like the best choice.
Does your outbound web traffic go through a proxy and do you do any outbound URL filtering? That is typically the best way to block HTTP traffic.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: