Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Cisco IPS 5.1

from [Gary Halleen (ghalleen)] Network Security [Permanent Link]
Subject: RE: Cisco IPS 5.1
Date: Tue, 21 Nov 2006 13:20:56 -0800 
Velasquez,

There are several ways to use Regex, or Regular Expressions, into a
Cisco IPS signature.  Here are the ways to use it with the service-http
engine:

1.  URI Regex:  Regular expression to search in the URI field.  The URI
field is defined as after the HTTP method (i.e. GET, POST) and before
the first CRLF.

2.  Arg Name Regex:  Regular expression to search in the HTTP arguments
field (variable names within form input, for instance).  This is defined
as after the '?' and in the entity body as defined by Content-Length.

3.  Arg Value Regex:  Regular expression to search in the HTTP arguments
field after Arg Name Regex is matched.  This is searching on the value
defined by the variable name, above.

4.  Header Regex:  Regular expression to search in the HTTP header.  The
header is defined as after the first CRLF, but before CRLFCRLF.

5.  Request Regex:  Regular expression to search in both the HTTP URI
and HTTP arguments fields.

In addition to these regex values, you can also specify maximum lengths
of URI, arguments, header, and request.

If you have specific things you're looking for, I'd be more than happy
to help you with the signature.  Additionally, our TAC is able to assist
in custom signature creation.

Gary
 

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Velasquez Venegas Jaime Omar
Sent: Tuesday, November 21, 2006 4:35 AM
To: focus-ids@securityfocus.com
Subject: Cisco IPS 5.1

I'm tryng to build a  customized signature on Cisco IPS 5.1 so it can
detect an specific content-type in http header.
I did my research and found that i should use an http inspection engine
built in Cisco IPS and a command called regex.
An example of this would be very helpful.

Thanks



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Cisco IPS 5.1, Nick Smith (nicksmi)
Next by Date:  RE: Cisco IPS 5.1, Velasquez Venegas Jaime Omar
Previous by Thread:  RE: Cisco IPS 5.1, Nick Smith (nicksmi)
Next by Thread:  RE: Cisco IPS 5.1, Velasquez Venegas Jaime Omar
Indexes:  [Date] [Thread] [Top] [All Lists]