06-24-2004 03:30 PM - edited 03-09-2019 07:51 AM
How can I create a custom signature that triggers only when there is not HTTP traffic from a specific IP to a specific IP.? I want to create a policy based signature that detects the anomaly of non-HTTP traffic to a web server. Is there a way of doing this from IDS MC?
Thanks
IK
06-25-2004 07:38 AM
In the current release this can be done using string.TCP engine, thought it is a bit of performance hit to examine all the strings for TCP sessions from or to this port. With this engine you can create a custom sig looking for regex you want to examine for non-HTTP traffic and specify the web server ports.
06-25-2004 08:06 AM
Thanks. I thought about that solution too, but I was concerned about the fact that all packets will be monitored. But since this sensor will monitor the backend of a content switch doing SSL offload, I think the traffic will not be as heavy as other potential sensing locations. Thanks for your response.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide