Can you configure "fireall" and let me know, if you are still facing the issue.
With regards Kings On Fri, Mar 4, 2011 at 11:03 AM, Eugene Pefti <[email protected]>wrote: > Summary Mode: Summarize > Summary Interval: 15 > Summary Key: Attacker Address > Specify Global Summary Threshold: No > > What does it have to do with it, Kings? The signature didn't fire once. > > From: Kingsley Charles <[email protected]> > Date: Fri, 4 Mar 2011 10:47:17 +0530 > To: Ivan Lopuhov <[email protected]> > Cc: Jerome Dolphin <[email protected]>, OSL Security < > [email protected]> > > Subject: Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / > string TCP > > What is the summary mode configured for the signature? > > With regards > Kings > > On Fri, Mar 4, 2011 at 2:45 AM, Eugene Pefti <[email protected]>wrote: > >> Hi guys, >> >> I’m back to my CCIE studies after a lot of lengthy projects. >> >> >> >> I was able to reproduce/re-create this custom signature but had to use IPS >> module inside ASA firewall and it worked for me. The signature 60003 looks >> like this: >> >> >> >> signatures 60003 0 >> >> sig-description >> >> sig-name Test Telnet >> >> exit >> >> engine string-tcp >> >> regex-string GET >> >> service-ports 80 >> >> exit >> >> exit >> >> exit >> >> >> >> Basically it fires every time when any browser makes a connection to a web >> server and sends GET request to fetch the web page. >> >> >> >> I have another problem with IPS and it is IOS IPS. I know it doesn’t fall >> into CCIE blueprint but just out curiosity and for the sake of knowledge. >> I’m trying to show the value of IOS IPS to the client and created almost the >> same custom signature: >> >> >> >> R3#sh ip ips signature sigid 60001 subid 0 >> >> >> >> En - possible values are Y, Y*, N, or N* >> >> Y: signature is enabled >> >> N: enabled=false in the signature definition file >> >> *: retired=true in the signature definition file >> >> Cmp - possible values are Y, Ni, Nr, Nf, or No >> >> Y: signature is compiled >> >> Ni: signature not compiled due to invalid or missing parameters >> >> Nr: signature not compiled because it is retired >> >> Nf: signature compile failed >> >> No: signature is obsoleted >> >> Nd: signature is disallowed >> >> Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low >> >> Trait=alert-traits EC=event-count AI=alert-interval >> >> GST=global-summary-threshold SI=summary-interval SM=summary-mode >> >> SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release >> >> >> >> SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR >> Rel >> >> ----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- >> --- >> >> 60001:0 Y Y A MED 0 1 0 0 0 FA N 75 >> custom >> >> sig-name: Test Telnet >> >> sig-string-info: My Sig Info >> >> sig-comment: Sig Comment >> >> sig-type: Other >> >> Engine string-tcp params: >> >> min-match-length: 0 >> >> regex-string: [cC][oO][nN][fF] >> >> service-ports: 23 >> >> direction: to-service >> >> exact-match-offset: 0 >> >> max-match-offset: 0 >> >> min-match-offset: 0 >> >> >> >> The signature is supposed to fire every time someone connects over Telnet >> to the router and then issues “conf” command. I do see signatures 2000 and >> 2004 for ICMP firing when enabled but nothing works for me with the custom >> signature. >> >> >> >> Eugene >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Jerome Dolphin >> *Sent:* 02 March 2011 22:20 >> *To:* Kingsley Charles >> *Cc:* OSL Security >> *Subject:* Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / >> string TCP >> >> >> >> Sorry Kings, too late now, the rack rental session has ended - should have >> taken a copy of the IPS config before it wrapped up. >> >> On Thu, Mar 3, 2011 at 5:05 PM, Kingsley Charles < >> [email protected]> wrote: >> >> Can you post your sig config. >> >> With regards >> Kings >> >> On Thu, Mar 3, 2011 at 10:03 AM, Vybhav Ramachandran <[email protected]> >> wrote: >> >> Grr too! Too bad IPS is too expensive to have in one's home lab :) >> >> >> >> Can anyone shed light on this? >> >> >> >> Cheers, >> >> TacACK >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
