Hi PJ Using sub-ids 0 and 1, seems to be the right solution. But, still wondering, if it can be done using same sig id and sub id.
I checked the advance options, there is no options for detecting port-miuse there. We need to configure a sig. The built-in sig is 12673/0 With regards Kings On Thu, Jun 10, 2010 at 12:06 PM, Pieter-Jan Nefkens < [email protected]> wrote: > Hi Kings, > > And what if you'd make two signatures, with the subsignature id? > > For example: > 60100.0 = ATTACK pattern > 60100.1 = port misuse > > And just something that pops into my mind (I don't have IME / IDM handy at > the moment) there is also the advanced http settings on the IPS vs itself. > Just go to the signatures and click on advanced. Enable http inspection and > perhaps the port-misuse is there as well.. ;-) > > PJ > > On 10 jun 2010, at 08:11, Kingsley Charles wrote: > > Hi all > > I need to configure an IPS signature that inspect HTTP traffic that looks > for a pattern "ATTACK" and also sees that port-miuse. p2p, im tunneling is > not being done. I think, http AIC signatures can > only do both the checks. > > I tried as following with AIC HTTP engine > > > - Define Web Traffic Policy > Select "Yes" > - Message body Pattern > In the Regex list, I added "ATTACK" > > > But, the problem is either one only can be configured. When I configure one > and apply, the other one goes > > > > Please let me a how to configure a signature that > > > - Detects "ATTACK" pattern > - Detects port-miuse, p2p, im tunneling in HTTP > > > > > With regards > Kings > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > --- > > Nefkens Advies > > Enk 26 > > 4214 DD Vuren > > The Netherlands > > > Tel: +31 183 634730 > > Fax: +31 183 690113 > > Cell: +31 654 323221 > > Email: [email protected] > > Web: http://www.nefkensadvies.nl/ > > Think before you print. > > > > >
<<green.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
