IDS mailing list archives
Re: Cisco IPS 5.1
From: "Sanjay R" <2sanjayr () gmail com>
Date: Thu, 23 Nov 2006 09:15:43 +0530
Hi Velasquez: if it is only the string "Content-type:application/x-msn-messenger", that you are interested in, then why do you want to go for a regular expression? whether it is Cisco or snort or any matching device, regular expression are costlier than fixed string search. Therefore, if Cisco provides a string search like Snort does, i would go for fixed string search. In the format of Snort, you rule should look like: ------------- alert tcp $INTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-Based MSN IM Access"; flow:to_server,established;content:"Content-type:application/x-msn-messenger";nocase;reference:bugtraq,2492; reference:cve,2006-0000; classtype:web-application-attack; sid:Not_defined; rev:0; --------------- I think you can always convert the above rule to your Cisco format. thanks -Sanjay On 11/22/06, Velasquez Venegas Jaime Omar <jaime () ulima edu pe> wrote:
Hi Gary Thank your for your answer.The signature I'm trying to build is one that catches the MSN messenger client on http ports. I know there are already two signatures in Cisco IPS but they detect the msn messenger application on tcp/1863 or through a proxy which is not my case because altough they have been applied , on my tests my msn clients still connect to the service through http ports so that's basically the reason to build a customized signature to detect http sessions with the following content in http header: Content-type: application/x-msn-messenger\r\n which is what my wireshark capture got on a regular msn session. I tried the header regex setting it to catch specifically this string: "application/x-msn-messenger" but it didn't work so there's something I am missing. Thank you again -----Original Message----- From: Gary Halleen (ghalleen) [mailto:ghalleen () cisco com] Sent: Martes, 21 de Noviembre de 2006 04:21 p.m. To: Velasquez Venegas Jaime Omar; focus-ids () securityfocus com Subject: RE: Cisco IPS 5.1 Velasquez, There are several ways to use Regex, or Regular Expressions, into a Cisco IPS signature. Here are the ways to use it with the service-http engine: 1. URI Regex: Regular expression to search in the URI field. The URI field is defined as after the HTTP method (i.e. GET, POST) and before the first CRLF. 2. Arg Name Regex: Regular expression to search in the HTTP arguments field (variable names within form input, for instance). This is defined as after the '?' and in the entity body as defined by Content-Length. 3. Arg Value Regex: Regular expression to search in the HTTP arguments field after Arg Name Regex is matched. This is searching on the value defined by the variable name, above. 4. Header Regex: Regular expression to search in the HTTP header. The header is defined as after the first CRLF, but before CRLFCRLF. 5. Request Regex: Regular expression to search in both the HTTP URI and HTTP arguments fields. In addition to these regex values, you can also specify maximum lengths of URI, arguments, header, and request. If you have specific things you're looking for, I'd be more than happy to help you with the signature. Additionally, our TAC is able to assist in custom signature creation. Gary -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Velasquez Venegas Jaime Omar Sent: Tuesday, November 21, 2006 4:35 AM To: focus-ids () securityfocus com Subject: Cisco IPS 5.1 I'm tryng to build a customized signature on Cisco IPS 5.1 so it can detect an specific content-type in http header. I did my research and found that i should use an http inspection engine built in Cisco IPS and a command called regex. An example of this would be very helpful. Thanks ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
-- PhD Intoto Softwares, Hyderabad, India ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Cisco IPS 5.1 Velasquez Venegas Jaime Omar (Nov 21)
- <Possible follow-ups>
- RE: Cisco IPS 5.1 Gary Halleen (ghalleen) (Nov 22)
- RE: Cisco IPS 5.1 Nick Smith (nicksmi) (Nov 22)
- RE: Cisco IPS 5.1 Velasquez Venegas Jaime Omar (Nov 22)
- Re: Cisco IPS 5.1 Sanjay R (Nov 23)