You might also create a compound signature via the Meta Engine.
Create two custom IPS signatures. · First IPS Signature will have a regex for the name · Second IPS signature will have a regex for the configure Then tie the two together to create a compound signature. Meta Engine information http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmSigDef.html#wp1084253 thanks, *Matt Manire* *CCSP, CCNP, CCDP, MCSE* *2003 & MCSE 2000* *Information Systems Security Manager* [email protected] *t*: 817.525.1863 *f*: 817.525.1903 *m*: 817.271.9165 *First Rate* | 1903 Ascension Boulevard | Arlington, TX 76006| www.FirstRate.com <http://www.firstrate.com/> *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Eugene Pefti *Sent:* Monday, April 16, 2012 8:13 PM *To:* Ananthan; [email protected] *Subject:* Re: [OSL | CCIE_Security] IPS Signature Example: you want to block/drop all packets with “configure” command aimed to configure IOS devices and carried over Telnet. You create a custom signature matching for first 4 characters of the “configure” command - conf Signature Name – Stop_Bad_Command Signature engine – String TCP Event Action – Deny attacker inline and produce alert Specify Min Match Length – Yes Min Match Length – 4 Regex String – [cC][oO][nN][fF] Service port – 23 Direction – To Service Eugene *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Ananthan *Sent:* 15 April 2012 21:36 *To:* [email protected] *Subject:* [OSL | CCIE_Security] IPS Signature Hi Experts, I need to configure one signature that trigger when the specific user give a specific command. How can i configure? Could you please any suggestion ? -Ananthan
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
