I suggest to use multi string signature for this request or meta signature. I don't have acces to ips else I'll post the config.
On Saturday, August 18, 2012, Alexei Monastyrnyi wrote: > Yeah, the reason I was asking for a config is that I could not > understand what type if engine Bruno was using. > > Bruno, > you should be fine with TCP string engine catching that line. TCP string > engine would try to match it across several IP packets. This is the major > difference between atomic engines and string-like engines. In atomic one > the string you match has to be in a single IP packet. > > Now, things which I can see go wrong are: > - you are not using TCP string engine > - your regex is lame > - you are trying to match traffic gong in the wrong direction. You shoudl > match in direction from attacker to victim. > - accordingly TCP port should be 23 TO the service > > Len us know how you go. > > HTH > A. > > On 8/19/2012 8:45 AM, Mike Rojas wrote: > > I think this one depends so much in how the command is placed, > > Mainly because you can do sh run, show running-config, sh runn, etc. Now, > I have seen that some types of telnet clients, send character per character > making it difficult to the IPS > to catch the string. > > My advice here, get and IP logging, open it with wireshark, see how the > string is being sent and then create the string tcp signature. > > Mike. > > ------------------------------ > Date: Sun, 19 Aug 2012 08:16:20 +1000 > From: [email protected] <javascript:_e({}, 'cvml', > '[email protected]');> > To: [email protected] <javascript:_e({}, 'cvml', > '[email protected]');> > CC: [email protected] <javascript:_e({}, 'cvml', > '[email protected]');> > Subject: Re: [OSL | CCIE_Security] IPS Question > > could you post your signature config in text? > > On 8/18/2012 4:12 PM, Bruno Silva wrote: > > Hi Guys, > > I was studying some IPS functions and I came accross the regex session, which > is no news to me but, I was wondering if I had the following cenario: > > R1 ------ IPS ------ASA1 > > Suppose I want to reset a telnet connection from R1 to ASA1 when the user > types show running-config how would I do that? I tried a lot of regular > expressions but I wasn`t able to do it...Mainly because when the user is > typping, it`s already sending the characters to the destination so if I do a > common regular expression the session is not reseted or I can just sneak a > way in to it doing stuff like typing show r and hitting "enter", comming back > to the previous string and completing it, or even worst, I can type (space) > show runn and it will still work. Can any of you guys think of a way of doing > it? > > If it was another device I would do this with expect, because I would expect > the prompt to change and then reset the connection, but I don`t think the > Cisco IPS has this function does it? > > What do you guys think? > > Thank you very much, > Bruno. > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > -- FNK, CCIE Security#35578
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
