I think this one depends so much in how the command is placed, Mainly because you can do sh run, show running-config, sh runn, etc. Now, I have seen that some types of telnet clients, send character per character making it difficult to the IPS to catch the string.
My advice here, get and IP logging, open it with wireshark, see how the string is being sent and then create the string tcp signature. Mike. Date: Sun, 19 Aug 2012 08:16:20 +1000 From: [email protected] To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] IPS Question could you post your signature config in text? On 8/18/2012 4:12 PM, Bruno Silva wrote: Hi Guys, I was studying some IPS functions and I came accross the regex session, which is no news to me but, I was wondering if I had the following cenario: R1 ------ IPS ------ASA1 Suppose I want to reset a telnet connection from R1 to ASA1 when the user types show running-config how would I do that? I tried a lot of regular expressions but I wasn`t able to do it...Mainly because when the user is typping, it`s already sending the characters to the destination so if I do a common regular expression the session is not reseted or I can just sneak a way in to it doing stuff like typing show r and hitting "enter", comming back to the previous string and completing it, or even worst, I can type (space) show runn and it will still work. Can any of you guys think of a way of doing it? If it was another device I would do this with expect, because I would expect the prompt to change and then reset the connection, but I don`t think the Cisco IPS has this function does it? What do you guys think? Thank you very much, Bruno. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
