I agree Tyson. But I was wondering AIC HTTP and FTP are something like FW inspection which would generate logs, if HTTP or FTP is not RFC compliant.
If a task requires to detect non-RFC compliant HTTP traffic, the solution is to configure a sig in AIC HTTP, select "*Define Web Traffic Policy"* and select "*Yes"* for *"alarm on Non-HTTP traffic"*. Please let me know, if the solution is correct? With regards Kings On Wed, Sep 29, 2010 at 8:56 PM, Tyson Scott <[email protected]> wrote: > The AIC is just a signature engine. Without defining a signature to > match the criteria you want to match the engine itself is not going to do > anything. Just like the STRING TCP engine isn't going to match data unless > you define parameters to match in signatures. Here is some clarification > from the documentation. > > > > *AIC Engine Parameters* > > The AIC engine defines signatures for deep inspection of web traffic. It > also defines signatures that authorize and enforce FTP commands. > > There are two AIC engines: AIC HTTP and AIC FTP. > > The AIC engine has the following features: > > > > Not the first sentence that states the AIC itself is just an engine. > > > http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/idm/idm_signature_engines.html#wpmkr1277737 > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Wednesday, September 29, 2010 11:09 AM > *To:* Tyson Scott > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] IPS AIC HTTP > > > > Hi Tyson > > Do we need to configure a signature of AIC engine after enabling AIC http > or just enabling AIC HTTP is suffice to non-RFC compliant traffic. > > > > With regards > Kings > > On Wed, Sep 29, 2010 at 8:15 PM, Tyson Scott <[email protected]> wrote: > > AIC also has the capability of detecting tunneled traffic. You could try > to tunnel some traffic with something like PC-Anywhere and see if you can > detect it that way. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, September 29, 2010 7:38 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] IPS AIC HTTP > > > > Hi all > > If there is a task asking to configure IPS sesnor to detect HTTP traffic > that non RFC compliant then what should be solution? > > Should I just enable AIC HTTP at the path *Configuration > Policies > > Signature Definitions > sig0 > All Signatures > Advanced > Miscellaneous > > HTTP Policy > Enable HTTP > Yes* > > or > > Configure enable HTTP AIC and configure a sig by selecting type of "*Define > Web Traffic Policy"* and select "*Yes"* for *"alarm on Non-HTTP traffic"*. > > > I need to verify it. Can someone let me know a simple way on how to > generate non-compliant RFC HTTP traffic to check if it is enough to just > enable AIC HTTP to detect non compliant RFC traffic. > > Please don't tell me to telnet to port 80. I am aware that :-) > > I need something like HTTP request without "get". This I can't be simulated > in lab. Any other method that can be simulated in lab? > > > > *Snippet from Help page* > > Configuration > Policies > Signature Definitions > sig0 > All Signatures > > Advanced > Miscellaneous > Help > > Fields > > The following fields are found on the Miscellaneous tab: > > Application Policy—Lets you configure application policy enforcement. > > Enable HTTP —Enables protection for web services. Check the Yes check box > to require the sensor to inspect HTTP traffic for compliance with the RFC. > > Max HTTP Requests—Specifies the maximum number of outstanding HTTP requests > per connection. > > AIC Web Ports—Specifies the variable for ports to look for AIC traffic. > > Enable FTP—Enables protection for web services. Check the Yes check box to > require the sensor to inspect FTP traffic. > > > > > > With regards > Kings > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
