The AIC is just a signature engine. Without defining a signature to match the criteria you want to match the engine itself is not going to do anything. Just like the STRING TCP engine isn't going to match data unless you define parameters to match in signatures. Here is some clarification from the documentation.
AIC Engine Parameters The AIC engine defines signatures for deep inspection of web traffic. It also defines signatures that authorize and enforce FTP commands. There are two AIC engines: AIC HTTP and AIC FTP. The AIC engine has the following features: Not the first sentence that states the AIC itself is just an engine. http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/idm/idm _signature_engines.html#wpmkr1277737 Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, September 29, 2010 11:09 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] IPS AIC HTTP Hi Tyson Do we need to configure a signature of AIC engine after enabling AIC http or just enabling AIC HTTP is suffice to non-RFC compliant traffic. With regards Kings On Wed, Sep 29, 2010 at 8:15 PM, Tyson Scott <[email protected]> wrote: AIC also has the capability of detecting tunneled traffic. You could try to tunnel some traffic with something like PC-Anywhere and see if you can detect it that way. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Wednesday, September 29, 2010 7:38 AM To: [email protected] Subject: [OSL | CCIE_Security] IPS AIC HTTP Hi all If there is a task asking to configure IPS sesnor to detect HTTP traffic that non RFC compliant then what should be solution? Should I just enable AIC HTTP at the path Configuration > Policies > Signature Definitions > sig0 > All Signatures > Advanced > Miscellaneous > HTTP Policy > Enable HTTP > Yes or Configure enable HTTP AIC and configure a sig by selecting type of "Define Web Traffic Policy" and select "Yes" for "alarm on Non-HTTP traffic". I need to verify it. Can someone let me know a simple way on how to generate non-compliant RFC HTTP traffic to check if it is enough to just enable AIC HTTP to detect non compliant RFC traffic. Please don't tell me to telnet to port 80. I am aware that :-) I need something like HTTP request without "get". This I can't be simulated in lab. Any other method that can be simulated in lab? Snippet from Help page Configuration > Policies > Signature Definitions > sig0 > All Signatures > Advanced > Miscellaneous > Help Fields The following fields are found on the Miscellaneous tab: Application Policy-Lets you configure application policy enforcement. Enable HTTP -Enables protection for web services. Check the Yes check box to require the sensor to inspect HTTP traffic for compliance with the RFC. Max HTTP Requests-Specifies the maximum number of outstanding HTTP requests per connection. AIC Web Ports-Specifies the variable for ports to look for AIC traffic. Enable FTP-Enables protection for web services. Check the Yes check box to require the sensor to inspect FTP traffic. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
