Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
1
Replies

IPS signature to match usernames?

mattsmith
Level 1
Level 1

‎01-13-2010 02:24 PM - edited ‎03-10-2019 04:51 AM

Can an IPS be used to match usernames during RDP and or RPC sessions?

We have done some wireshark captures and searched the stream content for usernames with no success.

The servers are 2003 & 2008.

Perhaps MARS is the best solution here for reporting this?

Thanks

Matt

Labels:
0 Helpful
1 Reply 1

Farrukh Haroon
VIP Alumni
VIP Alumni

‎02-07-2010 09:58 AM

If there is no fix pattern for the username field in RPC or if its encrypted (via NTLM hash etc.) then there is no chance you can match it using regex.If the field is predictable, then a custom signature can be made as desired.

The MARS box does not do any detection or regex matching itself, it just correlates the signature events received from the IPS, so I doubt MARS would help here.

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card