Well, I think the connection to Unix is a catch. There's no difference whether you telnet to the router or Unix host. What is important is capture the string "netstat". Just select string TCP engine and use regex for "netstat". Since commands on Unix are case sensitive there's no point to match on UPPER case characters in this string. Again, this is how I would do it.
Sent from iPhone On Jun 8, 2012, at 10:02 PM, "nazir iqbal" <[email protected]<mailto:[email protected]>> wrote: yes On Sat, Jun 9, 2012 at 6:23 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Nazir, If you don’t mind let me paraphrase the task to make sure I understand it right. Some user makes a connection to a Unix machine, once connected he sends “netstat” command. This should make the custom signature fire and create at least an alert ? Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of nazir iqbal Sent: Thursday, June 07, 2012 9:34 PM To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Security] Fwd: CCIE_Security Digest, Vol 72, Issue 35 create a new signature 60009 to unix workstations, when a user a telnet session to netstat (ie su.+netstat) the signature shuld fire on using netstat command. any body have right solution of netstat on ips signature 60009 pls provide ---------- Forwarded message ---------- From: <[email protected]<mailto:[email protected]>> Date: Fri, Jun 8, 2012 at 6:48 AM Subject: CCIE_Security Digest, Vol 72, Issue 35 To: [email protected]<mailto:[email protected]> Send CCIE_Security mailing list submissions to [email protected]<mailto:[email protected]> To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/mailman/listinfo/ccie_security or, via email, send a message with subject or body 'help' to [email protected]<mailto:[email protected]> You can reach the person managing the list at [email protected]<mailto:[email protected]> When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_Security digest..." Today's Topics: 1. CCIE Security extended blueprint (Eugene Pefti) 2. Re: CCIE Security extended blueprint (Eugene Pefti) 3. Re: CCIE Security extended blueprint (Ben Shaw) 4. Re: CCIE Security extended blueprint (Eugene Pefti) ---------------------------------------------------------------------- Message: 1 Date: Thu, 7 Jun 2012 22:18:57 +0000 From: Eugene Pefti <[email protected]<mailto:[email protected]>> To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [OSL | CCIE_Security] CCIE Security extended blueprint Message-ID: <8457433e2350ff4db892161102b3cfed23267...@w2k8srv-exch.koiossystems.com<mailto:8457433e2350ff4db892161102b3cfed23267...@w2k8srv-exch.koiossystems.com>> Content-Type: text/plain; charset="us-ascii" Guys, I heard/saw people referring to the so-called extended CCIE Security blueprint. How different is it from the one that I always thought as the only blueprint: http://www.cisco.com/web/learning/le3/ccie/security/lab_exam_blueprint_v3.html Secondly, what about "automatic signature extraction" feature that is one of the techniques to prevent DoS: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_dos_atprvn/configuration/12-4t/sec-auto-sig-ext.html Is it expected to be tested on the lab ? I remember bugging Cisco to provide me with an evaluation of ASE collector but they hushed me down saying I quote the words of one of the product managers "it would be too good to be true" How would I navigate to the above said document if I were to look for TCP intercept feature on Cisco docs? Eugene -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_security/attachments/20120607/99b5d5ba/attachment-0001.html> ------------------------------ Message: 2 Date: Thu, 7 Jun 2012 22:30:19 +0000 From: Eugene Pefti <[email protected]<mailto:[email protected]>> To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Security] CCIE Security extended blueprint Message-ID: <8457433e2350ff4db892161102b3cfed23267...@w2k8srv-exch.koiossystems.com<mailto:8457433e2350ff4db892161102b3cfed23267...@w2k8srv-exch.koiossystems.com>> Content-Type: text/plain; charset="us-ascii" I think I found an answer for my question on ASE. Threat Information Distribution Protocol as an essential protocol for communication between the sensor and the collector was announced EOL in IOS 12.4(20) and higher. From: Eugene Pefti Sent: Thursday, June 07, 2012 3:19 PM To: [email protected]<mailto:[email protected]> Subject: CCIE Security extended blueprint Guys, I heard/saw people referring to the so-called extended CCIE Security blueprint. How different is it from the one that I always thought as the only blueprint: http://www.cisco.com/web/learning/le3/ccie/security/lab_exam_blueprint_v3.html Secondly, what about "automatic signature extraction" feature that is one of the techniques to prevent DoS: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_dos_atprvn/configuration/12-4t/sec-auto-sig-ext.html Is it expected to be tested on the lab ? I remember bugging Cisco to provide me with an evaluation of ASE collector but they hushed me down saying I quote the words of one of the product managers "it would be too good to be true" How would I navigate to the above said document if I were to look for TCP intercept feature on Cisco docs? Eugene -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_security/attachments/20120607/6e18e316/attachment-0001.html> ------------------------------ Message: 3 Date: Fri, 8 Jun 2012 11:14:40 +1000 From: Ben Shaw <[email protected]<mailto:[email protected]>> To: Eugene Pefti <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Security] CCIE Security extended blueprint Message-ID: <cafuip_51mc_zw8g9f708hh0g3bd6rewxihypysngp0vd-ss...@mail.gmail.com<mailto:cafuip_51mc_zw8g9f708hh0g3bd6rewxihypysngp0vd-ss...@mail.gmail.com>> Content-Type: text/plain; charset="windows-1252" HI Eugene regarding the extended blueprint, Ithink it just lists more verbosely the things that one should be studyng anyway to prepare of the lab not so much additional technologies. I was working from the standard blueprint but about a quarter of the way through it I discovered the extended one which I have now shifted over to. In my experience, even though there was more detail in the extended blueprint, I had covered most of the extra things it mentioend in the topics I had studied up to that point in the original blueprint. While Cisco still say thet there could be topics in the exam other than those listed in the extended blueprint, my gut feeling is that if you knew everything back to front on the extended blueprint you would be fine and you wouldn't need to seek out and additional tipics to study. When compared to the original blueprint I feel the extended blueprint just lists the things you should have covered anyway when using the original blueprint. The extended blueprint, though three times the length actually makes study easier in my opinion. Thanks Ben On Fri, Jun 8, 2012 at 8:30 AM, Eugene Pefti <[email protected]<mailto:[email protected]>>wrote: > I think I found an answer for my question on ASE. **** > > Threat Information Distribution Protocol as an essential protocol for > communication between the sensor and the collector was announced EOL in IOS > 12.4(20) and higher.**** > > ** ** > > *From:* Eugene Pefti > *Sent:* Thursday, June 07, 2012 3:19 PM > *To:* > [email protected]<mailto:[email protected]> > *Subject:* CCIE Security extended blueprint**** > > ** ** > > Guys,**** > > I heard/saw people referring to the so-called extended CCIE Security > blueprint. How different is it from the one that I always thought as the > only blueprint:**** > > > http://www.cisco.com/web/learning/le3/ccie/security/lab_exam_blueprint_v3.html > **** > > ** ** > > Secondly, what about ?automatic signature extraction? feature that is one > of the techniques to prevent DoS:**** > > > http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_dos_atprvn/configuration/12-4t/sec-auto-sig-ext.html > **** > > ** ** > > Is it expected to be tested on the lab ? I remember bugging Cisco to > provide me with an evaluation of ASE collector but they hushed me down > saying I quote the words of one of the product managers ?it would be too > good to be true?**** > > How would I navigate to the above said document if I were to look for TCP > intercept feature on Cisco docs?**** > > ** ** > > Eugene**** > > ** ** > > ** ** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com<http://www.ipexpert.com> > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> > -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_security/attachments/20120608/a4556456/attachment-0001.html> ------------------------------ Message: 4 Date: Fri, 8 Jun 2012 01:18:08 +0000 From: Eugene Pefti <[email protected]<mailto:[email protected]>> To: Ben Shaw <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Security] CCIE Security extended blueprint Message-ID: <8457433e2350ff4db892161102b3cfed23267...@w2k8srv-exch.koiossystems.com<mailto:8457433e2350ff4db892161102b3cfed23267...@w2k8srv-exch.koiossystems.com>> Content-Type: text/plain; charset="us-ascii" Thanks, Ben. So where can I take a look at the extended blueprint ? From: Ben Shaw [mailto:[email protected]<mailto:[email protected]>] Sent: Thursday, June 07, 2012 6:15 PM To: Eugene Pefti Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] CCIE Security extended blueprint HI Eugene regarding the extended blueprint, Ithink it just lists more verbosely the things that one should be studyng anyway to prepare of the lab not so much additional technologies. I was working from the standard blueprint but about a quarter of the way through it I discovered the extended one which I have now shifted over to. In my experience, even though there was more detail in the extended blueprint, I had covered most of the extra things it mentioend in the topics I had studied up to that point in the original blueprint. While Cisco still say thet there could be topics in the exam other than those listed in the extended blueprint, my gut feeling is that if you knew everything back to front on the extended blueprint you would be fine and you wouldn't need to seek out and additional tipics to study. When compared to the original blueprint I feel the extended blueprint just lists the things you should have covered anyway when using the original blueprint. The extended blueprint, though three times the length actually makes study easier in my opinion. Thanks Ben On Fri, Jun 8, 2012 at 8:30 AM, Eugene Pefti <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: I think I found an answer for my question on ASE. Threat Information Distribution Protocol as an essential protocol for communication between the sensor and the collector was announced EOL in IOS 12.4(20) and higher. From: Eugene Pefti Sent: Thursday, June 07, 2012 3:19 PM To: [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> Subject: CCIE Security extended blueprint Guys, I heard/saw people referring to the so-called extended CCIE Security blueprint. How different is it from the one that I always thought as the only blueprint: http://www.cisco.com/web/learning/le3/ccie/security/lab_exam_blueprint_v3.html Secondly, what about "automatic signature extraction" feature that is one of the techniques to prevent DoS: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_dos_atprvn/configuration/12-4t/sec-auto-sig-ext.html Is it expected to be tested on the lab ? I remember bugging Cisco to provide me with an evaluation of ASE collector but they hushed me down saying I quote the words of one of the product managers "it would be too good to be true" How would I navigate to the above said document if I were to look for TCP intercept feature on Cisco docs? Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com><http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com><http://www.PlatinumPlacement.com> -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_security/attachments/20120608/519c172d/attachment.html> End of CCIE_Security Digest, Vol 72, Issue 35 *********************************************
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
