cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
720
Views
0
Helpful
3
Replies

Issue about Custom IPS Rules

yangui319
Beginner
Beginner

When i learning Firepower Intrusion Policy, i create a IPS Rule like the picture, i want to block traffic from test-pc to http server when the uri contain "configure" keyword, but it not work properly. i didn't see the intrusion events. 

3 Replies 3

Claudiu Cismaru
Cisco Employee
Cisco Employee

Add metadata with service http. See whether it fires now.

When you test, add logging to the ACP rule and provide with the connection event screenshot (from the table view of events, multiple screenshots to cover all the fields) associated with the test you're performing.

I configure two intrusion rule:intrusion rule "http certsrv" and intrusion rule "http configure". Like the picture, but when i test it, the "http certsrv" is work properly, but the "http configure" didn't. use windows server 2008 as web server for test about "http certsrv", use Cisco IOS as web server for test "http configure".

I couldn't reproduce your issue. For me it fires. Are you sure you deployed the ACP after making changes?

Can you provide the full connection event entry screenshot?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers