Hi Jimmy Comments inline.
With regards Kings On Mon, Feb 15, 2010 at 5:51 PM, Jimmy Larsson <[email protected]> wrote: > Hello guys! > > Some collected notes from my IPS-lab today: > > > Task 3.9, Bullet #4. I am requested to create a code red signature looking > for regexps in urls. I did a "service http" type but SG states doing a > "String TCP"-type. Why? Am I wrong? > You can use it. I did the same and also posted the same query before few days. But, please verify end to end. In service.http, you have the URI regex, request regex and header regex options. cmd.exe and default.ida are the URIs. Check it out, which is the option can be used to match the URI. With URI, the sig didn't trigger for me. The request regex and header regex seems to expect the complete URL = Hostname + URI > Same tasks states "if it hits a web server on VLAN8". But I cant see in > the SG that this alerts triggers only for traffic to that vlan. Without > doing any per-iprange-specific-thing this would trigger for all traffic > passing thru vs1. right? My idea was to ADD action to that sig with > something opposite/similar to event action filters, but is there no way to > do that? > You can filter the vlan traffic on the switch. Irrespective of whether you are using promiscuous or inline, you can configure the switch to control the vlans that are sent for inspection. If you need to control on the IPS, then you can opt for VLAN groups. > > Next bullet with FTP-signature, same thing. logging all ftp dele-commands > passing thru vs0 will not be as granular as requested, "...when it detects a > file being deleted on the ftp-server 10.4.4.100 from vlan5". > Same comment as above. > > > Last bullet. "Do not use IP or IP ranges for defining Vlan 7". I interprete > that as "do not specify it by ip-addresses" which made me confused. Then I > saw that the proposed solution was to define the range (which we wrent > supposed to do?) as a variable and enter the variable instead of the range > itself directly. > > I guess I have problems understanding the scope of some tasks. > > when verifying the large-icmp-signature I get the same result as DSG: > "!!.!.!.!!..!!!..!!.!.!.!!..!!". But why? I expected to see ".............". > The action is not "deny *some* packets inline". ;-) > > Thanks for feedback! > > Br Jimmy > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
