Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
855
Views
0
Helpful
3
Replies

Issue about Custom IPS Rules

yangui319
Level 1
Level 1

‎02-16-2017 12:29 AM - edited ‎02-21-2020 06:01 AM

When i learning Firepower Intrusion Policy, i create a IPS Rule like the picture, i want to block traffic from test-pc to http server when the uri contain "configure" keyword, but it not work properly. i didn't see the intrusion events. 

Preview file
288 KB
Preview file
38 KB
0 Helpful
3 Replies 3

Claudiu Cismaru
Cisco Employee
Cisco Employee

‎02-16-2017 11:50 AM

Add metadata with service http. See whether it fires now.

When you test, add logging to the ACP rule and provide with the connection event screenshot (from the table view of events, multiple screenshots to cover all the fields) associated with the test you're performing.

0 Helpful

yangui319
Level 1
Level 1
In response to Claudiu Cismaru

‎02-16-2017 05:29 PM

I configure two intrusion rule:intrusion rule "http certsrv" and intrusion rule "http configure". Like the picture, but when i test it, the "http certsrv" is work properly, but the "http configure" didn't. use windows server 2008 as web server for test about "http certsrv", use Cisco IOS as web server for test "http configure".

Preview file
94 KB
Preview file
287 KB
Preview file
307 KB
0 Helpful

Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to yangui319

‎02-17-2017 01:01 AM

I couldn't reproduce your issue. For me it fires. Are you sure you deployed the ACP after making changes?

Can you provide the full connection event entry screenshot?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card