It's a bit unclear whether the task to block the string "COMMAND" or "nslookup".
Generally speaking you have to create a custom signature and match it against a 
regex, e.g. nslookup if you want to match it exactly to this command or 
[Nn][Ss][Ll][Oo][Oo][Kk][Uu][Pp] for any combination of it.
The most important part is to choose the right engine and if I'm not mistaken 
it should String TCP.
Then specify the associated action for the signature. You can deny the packet 
only if it is in inline mode.

Eugene

-----Original Message-----
From: [email protected] 
[mailto:[email protected]] On Behalf Of schilling
Sent: 27 February 2012 09:09
To: ccie security
Subject: [OSL | CCIE_Security] IPS Question

Just saw this question from securityie.com, any idea of how to do this?

The question should be:
I want to block the attacker when he executes "COMMAND" nslookup as an
administrator on a windows machine. I know how to block the
functionality of nslookup, but I want to block the connection only
when executed by an admin.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to