What is the summary mode configured for the signature? With regards Kings
On Fri, Mar 4, 2011 at 2:45 AM, Eugene Pefti <[email protected]>wrote: > Hi guys, > > I’m back to my CCIE studies after a lot of lengthy projects. > > > > I was able to reproduce/re-create this custom signature but had to use IPS > module inside ASA firewall and it worked for me. The signature 60003 looks > like this: > > > > signatures 60003 0 > > sig-description > > sig-name Test Telnet > > exit > > engine string-tcp > > regex-string GET > > service-ports 80 > > exit > > exit > > exit > > > > Basically it fires every time when any browser makes a connection to a web > server and sends GET request to fetch the web page. > > > > I have another problem with IPS and it is IOS IPS. I know it doesn’t fall > into CCIE blueprint but just out curiosity and for the sake of knowledge. > I’m trying to show the value of IOS IPS to the client and created almost the > same custom signature: > > > > R3#sh ip ips signature sigid 60001 subid 0 > > > > En - possible values are Y, Y*, N, or N* > > Y: signature is enabled > > N: enabled=false in the signature definition file > > *: retired=true in the signature definition file > > Cmp - possible values are Y, Ni, Nr, Nf, or No > > Y: signature is compiled > > Ni: signature not compiled due to invalid or missing parameters > > Nr: signature not compiled because it is retired > > Nf: signature compile failed > > No: signature is obsoleted > > Nd: signature is disallowed > > Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low > > Trait=alert-traits EC=event-count AI=alert-interval > > GST=global-summary-threshold SI=summary-interval SM=summary-mode > > SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release > > > > SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR > Rel > > ----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- > --- > > 60001:0 Y Y A MED 0 1 0 0 0 FA N 75 > custom > > sig-name: Test Telnet > > sig-string-info: My Sig Info > > sig-comment: Sig Comment > > sig-type: Other > > Engine string-tcp params: > > min-match-length: 0 > > regex-string: [cC][oO][nN][fF] > > service-ports: 23 > > direction: to-service > > exact-match-offset: 0 > > max-match-offset: 0 > > min-match-offset: 0 > > > > The signature is supposed to fire every time someone connects over Telnet > to the router and then issues “conf” command. I do see signatures 2000 and > 2004 for ICMP firing when enabled but nothing works for me with the custom > signature. > > > > Eugene > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jerome Dolphin > *Sent:* 02 March 2011 22:20 > *To:* Kingsley Charles > *Cc:* OSL Security > *Subject:* Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / > string TCP > > > > Sorry Kings, too late now, the rack rental session has ended - should have > taken a copy of the IPS config before it wrapped up. > > On Thu, Mar 3, 2011 at 5:05 PM, Kingsley Charles < > [email protected]> wrote: > > Can you post your sig config. > > With regards > Kings > > On Thu, Mar 3, 2011 at 10:03 AM, Vybhav Ramachandran <[email protected]> > wrote: > > Grr too! Too bad IPS is too expensive to have in one's home lab :) > > > > Can anyone shed light on this? > > > > Cheers, > > TacACK > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
