> > Task 3.9, Bullet #4. I am requested to create a code red signature looking >> for regexps in urls. I did a "service http" type but SG states doing a >> "String TCP"-type. Why? Am I wrong? >> > > You can use it. >
Thanks. I still try to understand how close to DSG-solution I need to be to be "ok". ;) > > > >> Same tasks states "if it hits a web server on VLAN8". But I cant see in >> the SG that this alerts triggers only for traffic to that vlan. Without >> doing any per-iprange-specific-thing this would trigger for all traffic >> passing thru vs1. right? My idea was to ADD action to that sig with >> something opposite/similar to event action filters, but is there no way to >> do that? >> > > You can filter the vlan traffic on the switch. Irrespective of whether you > are using promiscuous or inline, you can configure the switch to control the > vlans that are sent for inspection. If you need to control on the IPS, then > you can opt for VLAN groups. > > Yeah, but that is done by manipulating the total stream of traffic going to/thru the ips. I was more looking for a way to do "I have all this traffic going into my IPS. I have a signature that triggers on specific behavior and takes some actions, like logging. Besides from that I want it to also take another action (like alert or drop inline) IF that behavior is with a specific IP-address as destination IP". Can that be done? > > >> >> Next bullet with FTP-signature, same thing. logging all ftp dele-commands >> passing thru vs0 will not be as granular as requested, "...when it detects a >> file being deleted on the ftp-server 10.4.4.100 from vlan5". >> > > Same comment as above. > I don´t understand. Tyson or someone from ipexpert, can you give me feedback on this? > >> >> Last bullet. "Do not use IP or IP ranges for defining Vlan 7". I >> interprete that as "do not specify it by ip-addresses" which made me >> confused. Then I saw that the proposed solution was to define the range >> (which we wrent supposed to do?) as a variable and enter the variable >> instead of the range itself directly. >> >> I guess I have problems understanding the scope of some tasks. >> >> This frustrates me a lot. I struggle all the time trying to understand the scope of some tasks within the workbook. I have explained my thought in this blog post. I´d very much like lots of input on this. http://blogg.kvistofta.nu/todays-question-whats-within-the-scope-of-the-task/ > when verifying the large-icmp-signature I get the same result as DSG: >> "!!.!.!.!!..!!!..!!.!.!.!!..!!". But why? I expected to see ".............". >> The action is not "deny *some* packets inline". ;-) >> > This confuses me more than anything else right now. I guess I will not be able to sleep tonight, when I shut my eyes I will see this annoying line of random dots and exclamation-marks making fun of me. ;) Br Jimmy
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
