IDS mailing list archives

RE: Cisco IPS 5.1

From: "Nick Smith (nicksmi)" <nicksmi () cisco com>
Date: Tue, 21 Nov 2006 13:54:57 -0800

 
The best engine to use to detect this type of activity would be Service
HTTP.  Be sure to use #WEBPORTS as your service port detection range to
ensure efficiency.  Using the IDM, you can see that Service HTTP has
many regexes available for use.  A regex looks in a certain part of the
HTTP request and if it matches the pattern you enter, it triggers the
configured action, such as firing an alert.  The regex you want to use
for looking for a specific Content-Type would be the header regex.  In
there, you would enter,
[Cc][Oo][Nn][Tt][Ee][nN][Tt][-][Tt][Yy][pP][Ee][:]\x20? and then the
type you are looking for.  So if you are looking for image/gif, your
regex would be:

[Cc][Oo][Nn][Tt][Ee][nN][Tt][-][Tt][Yy][pP][Ee][:]\x20?[Ii][Mm][Aa][Gg][
Ee][/][Gg][Ii][Ff]

The []'s say that you will match anything contained therein, so in this
example, it would match for any capitalization in 'content-type' and
image/gif.  The \x20? adds an optional space to be matched or not
between 'content-type' and the type.  Please let us know if you require
any further assistance.

Nicholas Smith
Cisco IPS Signature Developer

-----Original Message-----

From: Velasquez Venegas Jaime Omar <jaime () ulima edu pe>
Date: Nov 21, 2006 6:34 AM
Subject: Cisco IPS 5.1
To: focus-ids () securityfocus com


I'm tryng to build a  customized signature on Cisco IPS 5.1 so it can
detect an specific content-type in http header.
I did my research and found that i should use an http inspection engine
built in Cisco IPS and a command called regex.
An example of this would be very helpful.

Thanks



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Current thread:

Cisco IPS 5.1 Velasquez Venegas Jaime Omar (Nov 21)
- <Possible follow-ups>
- RE: Cisco IPS 5.1 Gary Halleen (ghalleen) (Nov 22)
- RE: Cisco IPS 5.1 Nick Smith (nicksmi) (Nov 22)
- RE: Cisco IPS 5.1 Velasquez Venegas Jaime Omar (Nov 22)
  - Re: Cisco IPS 5.1 Sanjay R (Nov 23)