cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
0
Helpful
4
Replies

IPS regex for a certificate name

rickellis
Level 1
Level 1

Hello,

Using the 4260-IPS I'd like to create a signature using regex that can fire on a specific certificate name. In a sniffer trace I can see the entry as "Name=Grac". I tried using the following regex but it didnt work.

[Nn][Aa][Mm)[Ee][\=][Gg][Rr][Aa][Cc]

Rick

4 Replies 4

Rodrigo Gurriti
Level 3
Level 3

On IDM

Configuration > Signature Definition > Custom Signature Wizard than

Choose TCP as the protocol to inspect >

Click the Single TCP Connection radio button >

Select Other like service type >

Enter signature parameters >

Select your event action

To Regex string filed enter

[Nn][Aa][Mm)[Ee][\=][Gg][Rr][Aa][Cc]

enter 80 in the Service Ports field

and you should use from service

Or you can clone a tcp string from any other signatures and change the fields

Thanks rodrigogurrit. I tried this but it does not work. I should clarify that I am trying to fire on SSL(port443) in this case. I adjusted the service port from 80 to 443 but kept everything else the same. What I'm trying to do is fire on the SSL certificate name which I can see in a trace.

Rick

hummm its a good question because 443 is encrypted and the IPS cannot see what is going on.

Sorry

mhellman
Level 7
Level 7

get rid of the backslash, the equal sign is not a metacharacter that needs escaping. What engine are you using?

I'm guessing you're talking about a server certs? I would suggest the "string tcp" engine and make sure you are using the direction "from service".

Review Cisco Networking for a $25 gift card