It's a bit unclear whether the task to block the string "COMMAND" or "nslookup". Generally speaking you have to create a custom signature and match it against a regex, e.g. nslookup if you want to match it exactly to this command or [Nn][Ss][Ll][Oo][Oo][Kk][Uu][Pp] for any combination of it. The most important part is to choose the right engine and if I'm not mistaken it should String TCP. Then specify the associated action for the signature. You can deny the packet only if it is in inline mode.
Eugene -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of schilling Sent: 27 February 2012 09:09 To: ccie security Subject: [OSL | CCIE_Security] IPS Question Just saw this question from securityie.com, any idea of how to do this? The question should be: I want to block the attacker when he executes "COMMAND" nslookup as an administrator on a windows machine. I know how to block the functionality of nslookup, but I want to block the connection only when executed by an admin. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
