Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2180
Views
24
Helpful
9
Replies

IPS Custom Signature - .torrent - Possible?

kristianaasen
Level 1
Level 1

‎12-04-2006 05:13 AM - edited ‎03-10-2019 03:21 AM

Hi I was wondering if it is possible to create a custom signature that would produce an alert whenever someone clicks on a .torrent link..

I am using Build Version: 5.1(3)S247.0

Just started using the IPS so any help or pointers will be greatly appreciated

Labels:
0 Helpful
9 Replies 9

mhellman
Level 7
Level 7

‎12-04-2006 07:59 AM

Yes, should be possible. You can inspect the URL or you can inspect the HTTP headers (the latter will probably trigger less false positives).

Take a look at sig 3204-0 for a pretty simple example of URL inspection.

Take a look at sig 5800-0 for an example that inspects HTTP headers. I'm not a big torrent user, but I think you will be looking for

"Content-Type: application/x-bittorrent"

wsulym
Cisco Employee
Cisco Employee

‎12-04-2006 09:28 AM

You could do the following:

Using engine == Service-HTTP

URI regex == [.][Tt][Oo][Rr][Rr][Ee][Nn][Tt]

service ports == #WEBPORTS

that will fire any time ".torrent" is seen in the uri. So anytime someone clicks on a link the contains ".torrent" (case insensitive), the alert would fire.

mhellman
Level 7
Level 7
In response to wsulym

‎12-04-2006 10:08 AM

being nitpicky, but you didn't escape the dot. won't that pretty much trigger on the word "torrent" anywhere in the URL?

kristianaasen
Level 1
Level 1
In response to mhellman

‎12-05-2006 12:39 AM

THX for your help

0 Helpful

wsulym
Cisco Employee
Cisco Employee
In response to mhellman

‎12-05-2006 04:37 AM

Within a character class you don't need to escape the dot.

mhellman
Level 7
Level 7
In response to wsulym

‎12-05-2006 05:56 AM

you're absolutely right, I forgot about that;-)

0 Helpful

kristianaasen
Level 1
Level 1
In response to wsulym

‎12-05-2006 12:40 AM

THX for your help

0 Helpful

Shannon Sutter
Level 1
Level 1

‎08-06-2012 12:04 PM

I've had no luck with this.

I've been trying to customized a signature to alert me when someone is browsing www.dropbox.com and can't get it to work.

I have configured the following:

Using engine == Service-HTTP

URI regex == [.][Dd][Rr][Oo][Pp][Bb][Oo][Xx]

service ports == #WEBPORTS

The status is enabled and the Event action is Produce Alert.

Am I missing something? I am not getting any alerts.

0 Helpful

rupadras
Cisco Employee
Cisco Employee
In response to Shannon Sutter

‎08-10-2012 03:37 PM

Hi,

I replied in the other thread. Please try with header-regex instead of uri-regex, because the host name will appear in the HTTP header in the traffic.

Also, we have sig 38686 detecting dropbox usage. Perhaps those are what you are looking for.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card