no need for multi-string IMO, string TCP is working fine with this type
of scenario, have been tested many times
A.
On 8/19/2012 9:34 AM, Fawad Khan wrote:
I suggest to use multi string signature for this request or meta
signature. I don't have acces to ips else I'll post the config.
On Saturday, August 18, 2012, Alexei Monastyrnyi wrote:
Yeah, the reason I was asking for a config is that I could not
understand what type if engine Bruno was using.
Bruno,
you should be fine with TCP string engine catching that line. TCP
string engine would try to match it across several IP packets.
This is the major difference between atomic engines and
string-like engines. In atomic one the string you match has to be
in a single IP packet.
Now, things which I can see go wrong are:
- you are not using TCP string engine
- your regex is lame
- you are trying to match traffic gong in the wrong direction. You
shoudl match in direction from attacker to victim.
- accordingly TCP port should be 23 TO the service
Len us know how you go.
HTH
A.
On 8/19/2012 8:45 AM, Mike Rojas wrote:
I think this one depends so much in how the command is placed,
Mainly because you can do sh run, show running-config, sh runn,
etc. Now, I have seen that some types of telnet clients, send
character per character making it difficult to the IPS
to catch the string.
My advice here, get and IP logging, open it with wireshark, see
how the string is being sent and then create the string tcp
signature.
Mike.
------------------------------------------------------------------------
Date: Sun, 19 Aug 2012 08:16:20 +1000
From: [email protected] <javascript:_e({}, 'cvml',
'[email protected]');>
To: [email protected] <javascript:_e({}, 'cvml',
'[email protected]');>
CC: [email protected] <javascript:_e({}, 'cvml',
'[email protected]');>
Subject: Re: [OSL | CCIE_Security] IPS Question
could you post your signature config in text?
On 8/18/2012 4:12 PM, Bruno Silva wrote:
Hi Guys,
I was studying some IPS functions and I came accross the regex session,
which is no news to me but, I was wondering if I had the following cenario:
R1 ------ IPS ------ASA1
Suppose I want to reset a telnet connection from R1 to ASA1 when the user types
show running-config how would I do that? I tried a lot of regular expressions but I
wasn`t able to do it...Mainly because when the user is typping, it`s already sending the
characters to the destination so if I do a common regular expression the session is not
reseted or I can just sneak a way in to it doing stuff like typing show r and hitting
"enter", comming back to the previous string and completing it, or even worst,
I can type (space) show runn and it will still work. Can any of you guys think of a way
of doing it?
If it was another device I would do this with expect, because I would
expect the prompt to change and then reset the connection, but I don`t think
the Cisco IPS has this function does it?
What do you guys think?
Thank you very much,
Bruno.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visitwww.ipexpert.com <http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a job? Check
outwww.PlatinumPlacement.com <http://www.PlatinumPlacement.com>
_______________________________________________ For more
information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com <http://www.ipexpert.com> Are you a CCNP
or CCIE and looking for a job? Check out
www.PlatinumPlacement.com <http://www.PlatinumPlacement.com>
--
FNK, CCIE Security#35578
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
