AIC also has the capability of detecting tunneled traffic. You could try to tunnel some traffic with something like PC-Anywhere and see if you can detect it that way.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Wednesday, September 29, 2010 7:38 AM To: [email protected] Subject: [OSL | CCIE_Security] IPS AIC HTTP Hi all If there is a task asking to configure IPS sesnor to detect HTTP traffic that non RFC compliant then what should be solution? Should I just enable AIC HTTP at the path Configuration > Policies > Signature Definitions > sig0 > All Signatures > Advanced > Miscellaneous > HTTP Policy > Enable HTTP > Yes or Configure enable HTTP AIC and configure a sig by selecting type of "Define Web Traffic Policy" and select "Yes" for "alarm on Non-HTTP traffic". I need to verify it. Can someone let me know a simple way on how to generate non-compliant RFC HTTP traffic to check if it is enough to just enable AIC HTTP to detect non compliant RFC traffic. Please don't tell me to telnet to port 80. I am aware that :-) I need something like HTTP request without "get". This I can't be simulated in lab. Any other method that can be simulated in lab? Snippet from Help page Configuration > Policies > Signature Definitions > sig0 > All Signatures > Advanced > Miscellaneous > Help Fields The following fields are found on the Miscellaneous tab: Application Policy-Lets you configure application policy enforcement. Enable HTTP -Enables protection for web services. Check the Yes check box to require the sensor to inspect HTTP traffic for compliance with the RFC. Max HTTP Requests-Specifies the maximum number of outstanding HTTP requests per connection. AIC Web Ports-Specifies the variable for ports to look for AIC traffic. Enable FTP-Enables protection for web services. Check the Yes check box to require the sensor to inspect FTP traffic. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
