cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1695
Views
8
Helpful
4
Replies

IPS - Custom Signature url Alert

Shannon Sutter
Level 1
Level 1

I just need a little help with one simple custom signature.

I am running a ASA-SSM-10 on a ASA5520.

IPS Version: 7.0(7)E4

I've been trying to customized a signature to send/log alerts if someone is accessing www.dropbox.com and can't get it to work.

I have read multiple posts and ended up configuring the custom signature like this: (based on Cisco 3204 signature)

Using engine == Service-HTTP

URI regex == [.][Dd][Rr][Oo][Pp][Bb][Oo][Xx]

service ports == #WEBPORTS

The status is enabled and the Event action is Produce Alert.

Am I missing something? I am not getting any alerts.

I have attached a screenshot of the custom sig.

Any help will be great, thanks in advance.

Zeek

4 Replies 4

That can't work as Dropbox is using HTTPS and the IPS can't look into these encrypted sessions. Your signature will only work for sessions that use plain HTTP.

OK, thank you for your quick response.

rupadras
Cisco Employee
Cisco Employee

Hi,

Actually, "dropbox.com" will appear in the Hostname in the traffic, but in the custom signature, you are using uri-regex. If you change it to header-regex, it might work.

Secondly, we have sig 38686 subsigs 0 and 1 to detect Dropbox usage. Subsig 0 in service-http is what you might be looking for. These sigs were released in S604.

Hope this helps,

Radhika

Thanks a lot! It is what I needed to know.

Review Cisco Networking for a $25 gift card