Re: IPS regex for a certificate name

rickellis · ‎06-10-2007

Hello,

Using the 4260-IPS I'd like to create a signature using regex that can fire on a specific certificate name. In a sniffer trace I can see the entry as "Name=Grac". I tried using the following regex but it didnt work.

[Nn][Aa][Mm)[Ee][\=][Gg][Rr][Aa][Cc]

Rick

Rodrigo Gurriti · ‎06-10-2007

On IDM

Configuration > Signature Definition > Custom Signature Wizard than

Choose TCP as the protocol to inspect >

Click the Single TCP Connection radio button >

Select Other like service type >

Enter signature parameters >

Select your event action

To Regex string filed enter

[Nn][Aa][Mm)[Ee][\=][Gg][Rr][Aa][Cc]

enter 80 in the Service Ports field

and you should use from service

Or you can clone a tcp string from any other signatures and change the fields

rickellis · ‎06-10-2007

Thanks rodrigogurrit. I tried this but it does not work. I should clarify that I am trying to fire on SSL(port443) in this case. I adjusted the service port from 80 to 443 but kept everything else the same. What I'm trying to do is fire on the SSL certificate name which I can see in a trace.

Rick

Rodrigo Gurriti · ‎06-10-2007

hummm its a good question because 443 is encrypted and the IPS cannot see what is going on.

Sorry

mhellman · ‎06-11-2007

get rid of the backslash, the equal sign is not a metacharacter that needs escaping. What engine are you using?

I'm guessing you're talking about a server certs? I would suggest the "string tcp" engine and make sure you are using the direction "from service".