Hello guys! Some collected notes from my IPS-lab today:
Task 3.9, Bullet #4. I am requested to create a code red signature looking for regexps in urls. I did a "service http" type but SG states doing a "String TCP"-type. Why? Am I wrong? Same tasks states "if it hits a web server on VLAN8". But I cant see in the SG that this alerts triggers only for traffic to that vlan. Without doing any per-iprange-specific-thing this would trigger for all traffic passing thru vs1. right? My idea was to ADD action to that sig with something opposite/similar to event action filters, but is there no way to do that? Next bullet with FTP-signature, same thing. logging all ftp dele-commands passing thru vs0 will not be as granular as requested, "...when it detects a file being deleted on the ftp-server 10.4.4.100 from vlan5". Last bullet. "Do not use IP or IP ranges for defining Vlan 7". I interprete that as "do not specify it by ip-addresses" which made me confused. Then I saw that the proposed solution was to define the range (which we wrent supposed to do?) as a variable and enter the variable instead of the range itself directly. I guess I have problems understanding the scope of some tasks. when verifying the large-icmp-signature I get the same result as DSG: "!!.!.!.!!..!!!..!!.!.!.!!..!!". But why? I expected to see ".............". The action is not "deny *some* packets inline". ;-) Thanks for feedback! Br Jimmy -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
