Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
6
Replies

IDS 4215 http custom signature

balien
Level 1
Level 1

‎03-29-2005 11:38 PM - edited ‎03-10-2019 01:21 AM

Hello,

I am trying to build a custom signature that is matching http header or body that contains certain regular expression. Any Ideas how to do that ? I tried Web Server signature but there I can only match HTTP header.

Labels:
0 Helpful
6 Replies 6

a.arndt
Level 3
Level 3

‎03-30-2005 04:25 AM

Try this:

1) Login to the sensor via IDM with an admin privileged account

2) Select “Configuration -> Sensing Engine -> Signature Wizard”

3) Select “Start the Wizard”

4) Select the “Web Server Signature” option

5) Set your SigID, Sig Name, Alert and User Notes as appropriate and click “Next”

6) Adjust the service ports (if necessary) and click “Next”

7) Given the intentions of your signature, leave the “Web Server Buffer Overflow Checks” fields empty and click “Next”

8) Put your regex into the “HTTP Request Regular Expression” because it will match the text within the entire HTTP request. Click “Next”

9) Set your alerting preferences (severity, etc.) and click “Next”

10) Adjust your alerting behaviour if you want (Click “Advanced”), or accept the defaults by clicking “Next”

11) Click on “Create” to generate the signature

I hope this helps,

Alex Arndt

0 Helpful

mkodali
Cisco Employee
Cisco Employee
In response to a.arndt

‎03-30-2005 07:35 AM

This would take care of the search in request header. For body search I would consider string.tcp engine with port 80 as service port.

0 Helpful

a.arndt
Level 3
Level 3
In response to mkodali

‎03-30-2005 08:36 AM

You're right Madhu. I guess I had a brain fart.

BTW, couldn't you make it even better by substituting the $WEBPORTS variable for port 80 in the sig?

Alex Arndt

0 Helpful

mkodali
Cisco Employee
Cisco Employee
In response to a.arndt

‎03-30-2005 08:47 AM

Yes, That would make it consistent with other service http signatures unless you are not interested in ports other than 80.

0 Helpful

balien
Level 1
Level 1
In response to mkodali

‎03-31-2005 12:36 AM

Can I do this with only one signature ? Does string.tcp will fire on HTTP header match ?

0 Helpful

a.arndt
Level 3
Level 3
In response to balien

‎03-31-2005 04:33 AM

It should, yes.

The only concern is that if your regex is fairly long, it may actually appear in more than one packet. The good news is that the 'string.tcp' engine will collect and analyse a steam of TCP packets, ensuring that the regex will still be detected.

I hope this helps,

Alex Arndt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card