IPS - Custom Signature url Alert

Shannon Sutter · ‎08-06-2012

I just need a little help with one simple custom signature.

I am running a ASA-SSM-10 on a ASA5520.

IPS Version: 7.0(7)E4

I've been trying to customized a signature to send/log alerts if someone is accessing www.dropbox.com and can't get it to work.

I have read multiple posts and ended up configuring the custom signature like this: (based on Cisco 3204 signature)

Using engine == Service-HTTP

URI regex == [.][Dd][Rr][Oo][Pp][Bb][Oo][Xx]

service ports == #WEBPORTS

The status is enabled and the Event action is Produce Alert.

Am I missing something? I am not getting any alerts.

I have attached a screenshot of the custom sig.

Any help will be great, thanks in advance.

Zeek

Karsten Iwen · ‎08-06-2012

That can't work as Dropbox is using HTTPS and the IPS can't look into these encrypted sessions. Your signature will only work for sessions that use plain HTTP.

Shannon Sutter · ‎08-06-2012

OK, thank you for your quick response.

rupadras · ‎08-10-2012

Hi,

Actually, "dropbox.com" will appear in the Hostname in the traffic, but in the custom signature, you are using uri-regex. If you change it to header-regex, it might work.

Secondly, we have sig 38686 subsigs 0 and 1 to detect Dropbox usage. Subsig 0 in service-http is what you might be looking for. These sigs were released in S604.

Hope this helps,

Radhika

Shannon Sutter · ‎08-13-2012

Thanks a lot! It is what I needed to know.