There's no difference whether you configure the regex for "ananthan" or "configure" for the TCP string engine. The signature will fire once there's a match
Sent from iPhone On Apr 18, 2012, at 8:35 PM, "Ananthan" <[email protected]<mailto:[email protected]>> wrote: Hi Eugene, Thanks for the update... One more clarification.. If this ticket triggered when the command originated by username "ananthan" how we can configure ? On Tue, Apr 17, 2012 at 9:13 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Example: you want to block/drop all packets with “configure” command aimed to configure IOS devices and carried over Telnet. You create a custom signature matching for first 4 characters of the “configure” command - conf Signature Name – Stop_Bad_Command Signature engine – String TCP Event Action – Deny attacker inline and produce alert Specify Min Match Length – Yes Min Match Length – 4 Regex String – [cC][oO][nN][fF] Service port – 23 Direction – To Service Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Ananthan Sent: 15 April 2012 21:36 To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Security] IPS Signature Hi Experts, I need to configure one signature that trigger when the specific user give a specific command. How can i configure? Could you please any suggestion ? -Ananthan
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
