Hi guys,
I'm back to my CCIE studies after a lot of lengthy projects.
I was able to reproduce/re-create this custom signature but had to use IPS
module inside ASA firewall and it worked for me. The signature 60003 looks like
this:
signatures 60003 0
sig-description
sig-name Test Telnet
exit
engine string-tcp
regex-string GET
service-ports 80
exit
exit
exit
Basically it fires every time when any browser makes a connection to a web
server and sends GET request to fetch the web page.
I have another problem with IPS and it is IOS IPS. I know it doesn't fall into
CCIE blueprint but just out curiosity and for the sake of knowledge. I'm trying
to show the value of IOS IPS to the client and created almost the same custom
signature:
R3#sh ip ips signature sigid 60001 subid 0
En - possible values are Y, Y*, N, or N*
Y: signature is enabled
N: enabled=false in the signature definition file
*: retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
Y: signature is compiled
Ni: signature not compiled due to invalid or missing parameters
Nr: signature not compiled because it is retired
Nf: signature compile failed
No: signature is obsoleted
Nd: signature is disallowed
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits EC=event-count AI=alert-interval
GST=global-summary-threshold SI=summary-interval SM=summary-mode
SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release
SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---
60001:0 Y Y A MED 0 1 0 0 0 FA N 75 custom
sig-name: Test Telnet
sig-string-info: My Sig Info
sig-comment: Sig Comment
sig-type: Other
Engine string-tcp params:
min-match-length: 0
regex-string: [cC][oO][nN][fF]
service-ports: 23
direction: to-service
exact-match-offset: 0
max-match-offset: 0
min-match-offset: 0
The signature is supposed to fire every time someone connects over Telnet to
the router and then issues "conf" command. I do see signatures 2000 and 2004
for ICMP firing when enabled but nothing works for me with the custom signature.
Eugene
From: [email protected]
[mailto:[email protected]] On Behalf Of Jerome Dolphin
Sent: 02 March 2011 22:20
To: Kingsley Charles
Cc: OSL Security
Subject: Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / string TCP
Sorry Kings, too late now, the rack rental session has ended - should have
taken a copy of the IPS config before it wrapped up.
On Thu, Mar 3, 2011 at 5:05 PM, Kingsley Charles
<[email protected]<mailto:[email protected]>> wrote:
Can you post your sig config.
With regards
Kings
On Thu, Mar 3, 2011 at 10:03 AM, Vybhav Ramachandran
<[email protected]<mailto:[email protected]>> wrote:
Grr too! Too bad IPS is too expensive to have in one's home lab :)
Can anyone shed light on this?
Cheers,
TacACK
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com<http://www.ipexpert.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
