05-19-2007 09:29 AM - edited 03-10-2019 01:41 PM
what signature catches the misuse of port 80 ?
Solved! Go to Solution.
05-19-2007 10:09 AM
The HTTP Inspection engine feature allows users to detect and prohibit HTTP connections?such as tunneling over port 80, unauthorized request methods, and non-HTTP compliant file transfers.
This gives better idea for IOS based IPS
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455acb.html
-Hoogen
Do rate if this post helps :)
05-19-2007 10:09 AM
The HTTP Inspection engine feature allows users to detect and prohibit HTTP connections?such as tunneling over port 80, unauthorized request methods, and non-HTTP compliant file transfers.
This gives better idea for IOS based IPS
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455acb.html
-Hoogen
Do rate if this post helps :)
05-19-2007 10:16 AM
Well I really meant the IPS Appliances not the router IPS
I wanted to stop some p2p trafficking using a ips 4215
05-21-2007 03:24 AM
Hi,
I kind of tried looking around for a solution for your problem the only thing I seem to come up with is Custom signature.
I picked up something for Kazaa a p2p application. THe first thing is that you need to capture those packets using ethereal or any packet sniffer tools. Pick up a sample traffic. Look for something in the traffic sample that will identify the Kazaa application.
Signature identify key parts of the traffic which wouldn't change. For Kazaa the payload seems to have the same last 6 bytes in multiple captures.
Traffic characteristics, usually an UDP packet, Payload always ends with the same 6 bytes, payload ends in "kazaa" followed by null (ox00)
Custom Signature Settings
- Engine: ATOMIC.IP
- L4 Protocol of UDP
- Payload Regex: [Kk][Aa][Zz][Aa][Aa]\x00
Create a custom signature based on this:
In event action you could ask for a Produce Verbose alert. Specify the Layer 4 protocol. Use the Payload inspection to specify the regex.
Leave the signature turned on for atleast a week or two. And check for results.
But you have pre-defined signatures too for p2p traffic clients like
Kazaa 5534 sub sig id 0,1,&2.
Bittorent 11020,11030.
edonkey 11018.
MOst engines doing this inspection would be string.tcp or atomic.ip.
You can search your signature details in this site and then tune the signature to deny the connection inline.
http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x
HTH
Hoogen
Do rate helpful posts :)
05-21-2007 02:54 PM
Hey man Thanks for all the help !!! I found the answer... the signature 12674 does stop non-http traffic.
But I'll keep in mind the custom atomic signatures, they are very handy .
Thanks for your help !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide