cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
310
Views
0
Helpful
2
Replies

Custom signature for non-HTTP traffic

ikobisher3
Level 1
Level 1

How can I create a custom signature that triggers only when there is not HTTP traffic from a specific IP to a specific IP.? I want to create a policy based signature that detects the anomaly of non-HTTP traffic to a web server. Is there a way of doing this from IDS MC?

Thanks

IK

2 Replies 2

mkodali
Cisco Employee
Cisco Employee

In the current release this can be done using string.TCP engine, thought it is a bit of performance hit to examine all the strings for TCP sessions from or to this port. With this engine you can create a custom sig looking for regex you want to examine for non-HTTP traffic and specify the web server ports.

Thanks. I thought about that solution too, but I was concerned about the fact that all packets will be monitored. But since this sensor will monitor the backend of a content switch doing SSL offload, I think the traffic will not be as heavy as other potential sensing locations. Thanks for your response.