cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
189
Views
0
Helpful
3
Replies

IDS 4.0 Custom signature - cacthing an URL

efink
Beginner
Beginner

Hi,

can anybody help me with what I thought it was a simple task but it happend to be a little more than that. I want to see an alarm when somebody is trying to browse the following URL: http://www.vasco.si/oddaljeno_delo.htm . Thanks.

1 Accepted Solution

Accepted Solutions

mcerha
Participant
Participant

This will require a two step process. First, create a custom signature looking for the URI in question. For 3.x sensors, use the STATE.HTTP engine. For 4.0 sensors, use the SERVICE.HTTP engine. You'll fill in the UriRegex with '/oddaljeno_delo.htm'. This may be all you need. However, if you want to be exact, you'll need to create an alarm filter to only match on the IP address for the website in question. Please consult the IDS documentation for information on how to do this step.

View solution in original post

3 Replies 3

ali-franks
Beginner
Beginner

s

mcerha
Participant
Participant

This will require a two step process. First, create a custom signature looking for the URI in question. For 3.x sensors, use the STATE.HTTP engine. For 4.0 sensors, use the SERVICE.HTTP engine. You'll fill in the UriRegex with '/oddaljeno_delo.htm'. This may be all you need. However, if you want to be exact, you'll need to create an alarm filter to only match on the IP address for the website in question. Please consult the IDS documentation for information on how to do this step.

Thanks. It solved my problem. I tried with the whole URL and it didn't work, now with only the last couple of letters it works just fine.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers