I am not sure I fully understand the statement below but TCP string will look in the L4 payload which includes the application layer information.
When trying to match a string in the URI field of a http request the HTTP signature is the better choice as it can distinguish fields in the HTTP header versus just looking in the payload of the TCP packet. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of VIJAY SHEKHAR Sent: Tuesday, February 01, 2011 4:26 PM To: Pemasiri Devanarayana Cc: [email protected]; [email protected] Subject: Re: Custom Signature HTTP engine inspects Layer7 payload, where as TCP engine does not, Since the keyword is located in L7 of the packet TCP engine is useless in this case. -Vijay Shekhar CCIE#17589/CISSP#65114/RHCE http://au.linkedin.com/in/vshekhar Quoting Pemasiri Devanarayana <[email protected]>: > Hi > > When we want to create custom signature denying based on patter/word in the > http, why cant we use engine "String TCP" instead of "Service HTTP" engine? > > appreciate some clarification on both?. > > thanks _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
