cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
0
Helpful
1
Replies

IPS Signatures with blank regex field when specify regex is "yes"

j.wheeler
Level 1
Level 1

I'm trying to track down what I believe is a false positive for Rustock Botnet sig 17363-3.  This is a "service HTTP" signature and it indicates "yes" on specify URI regex, specify header regex and specify request regex, but the regex field is blank (null?) for all three of these.  What does this mean?  Does it mean the signature is matched if these three fields are null in the evaluated packet?

1 Reply 1

Dustin Ralich
Cisco Employee
Cisco Employee

I'm trying to track down what I believe is a false positive for Rustock Botnet sig 17363-3.  This is a "service HTTP" signature and it indicates "yes" on specify URI regex, specify header regex and specify request regex, but the regex field is blank (null?) for all three of these.  What does this mean?  Does it mean the signature is matched if these three fields are null in the evaluated packet?

SIG 17363.3 is a "protected" signature; as a result, certain parameter values are not visible. Protected signatures may exist for a variety of reasons (e.g. NDA with relevant vendor, situations where detection method disclosure could enable evasion methods to be developed, etc.).

You can confirm this is true for this signature by reviewing it via the sensor CLI (notice the "protected" values):

sensor# conf t

sensor(config)# service signature-definition sig0

sensor(config-sig)# signature 17363 3

sensor(config-sig-sig)# show settings

uri-regex: ********

In this scenario, if you believe the signature is in-fact firing falsely, then you will need to open a TAC Service Request and provide copies of relevant Alerts (events), packet captures, etc. that can be analyzed by the IPS Signature Development Team.

Review Cisco Networking for a $25 gift card