IDS mailing list archives

Re: Cisco IPS 5.1

From: "Sanjay R" <2sanjayr () gmail com>
Date: Thu, 23 Nov 2006 09:15:43 +0530

Hi Velasquez:
if it is only the string "Content-type:application/x-msn-messenger",
that you are interested in, then why do you want to go for a regular
expression? whether it is Cisco or snort or any matching device,
regular expression are costlier than fixed string search. Therefore,
if Cisco provides a string search like Snort does, i would go for
fixed string search. In the format of Snort, you rule should look
like:
-------------
alert tcp $INTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-Based MSN IM Access";
flow:to_server,established;content:"Content-type:application/x-msn-messenger";nocase;reference:bugtraq,2492;
reference:cve,2006-0000; classtype:web-application-attack;
sid:Not_defined; rev:0;
---------------
I think you can always convert the above rule to your Cisco format.

thanks
-Sanjay


On 11/22/06, Velasquez Venegas Jaime Omar <jaime () ulima edu pe> wrote:

Hi Gary

Thank your for your answer.The signature I'm trying to build is one that
catches the MSN messenger client on http ports.
I know there are already two signatures in Cisco IPS but they detect the
msn messenger application on tcp/1863 or through a proxy which is not my
case because altough they have been applied , on my tests my msn clients
still connect to the service through http ports so that's basically the
reason to build a customized signature to detect http sessions with the
following content in http header: Content-type:
application/x-msn-messenger\r\n which is what my wireshark capture got
on a regular msn session.

I tried the header regex setting it to catch specifically this string:
"application/x-msn-messenger" but it didn't work so there's something I
am missing.

Thank you again



-----Original Message-----
From: Gary Halleen (ghalleen) [mailto:ghalleen () cisco com]
Sent: Martes, 21 de Noviembre de 2006 04:21 p.m.
To: Velasquez Venegas Jaime Omar; focus-ids () securityfocus com
Subject: RE: Cisco IPS 5.1

Velasquez,

There are several ways to use Regex, or Regular Expressions, into a
Cisco IPS signature.  Here are the ways to use it with the service-http
engine:

1.  URI Regex:  Regular expression to search in the URI field.  The URI
field is defined as after the HTTP method (i.e. GET, POST) and before
the first CRLF.

2.  Arg Name Regex:  Regular expression to search in the HTTP arguments
field (variable names within form input, for instance).  This is defined
as after the '?' and in the entity body as defined by Content-Length.

3.  Arg Value Regex:  Regular expression to search in the HTTP arguments
field after Arg Name Regex is matched.  This is searching on the value
defined by the variable name, above.

4.  Header Regex:  Regular expression to search in the HTTP header.  The
header is defined as after the first CRLF, but before CRLFCRLF.

5.  Request Regex:  Regular expression to search in both the HTTP URI
and HTTP arguments fields.

In addition to these regex values, you can also specify maximum lengths
of URI, arguments, header, and request.

If you have specific things you're looking for, I'd be more than happy
to help you with the signature.  Additionally, our TAC is able to assist
in custom signature creation.

Gary


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Velasquez Venegas Jaime Omar
Sent: Tuesday, November 21, 2006 4:35 AM
To: focus-ids () securityfocus com
Subject: Cisco IPS 5.1

I'm tryng to build a  customized signature on Cisco IPS 5.1 so it can
detect an specific content-type in http header.
I did my research and found that i should use an http inspection engine
built in Cisco IPS and a command called regex.
An example of this would be very helpful.

Thanks



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



--
PhD
Intoto Softwares, Hyderabad, India

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------

Current thread:

Cisco IPS 5.1 Velasquez Venegas Jaime Omar (Nov 21)
- <Possible follow-ups>
- RE: Cisco IPS 5.1 Gary Halleen (ghalleen) (Nov 22)
- RE: Cisco IPS 5.1 Nick Smith (nicksmi) (Nov 22)
- RE: Cisco IPS 5.1 Velasquez Venegas Jaime Omar (Nov 22)
  - Re: Cisco IPS 5.1 Sanjay R (Nov 23)