Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Cisco IPS 5.1

from [Sanjay R] Network Security [Permanent Link]
Subject: Re: Cisco IPS 5.1
Date: Thu, 23 Nov 2006 09:15:43 +0530 
Hi Velasquez:
if it is only the string "Content-type:application/x-msn-messenger",
that you are interested in, then why do you want to go for a regular
expression? whether it is Cisco or snort or any matching device,
regular expression are costlier than fixed string search. Therefore,
if Cisco provides a string search like Snort does, i would go for
fixed string search. In the format of Snort, you rule should look
like:
-------------
alert tcp $INTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-Based MSN IM Access";
flow:to_server,established;content:"Content-type:application/x-msn-messenger";nocase;reference:bugtraq,2492;
reference:cve,2006-0000; classtype:web-application-attack;
sid:Not_defined; rev:0;
---------------
I think you can always convert the above rule to your Cisco format.

thanks
-Sanjay


On 11/22/06, Velasquez Venegas Jaime Omar <jaime@ulima.edu.pe> wrote: 
Hi Gary

Thank your for your answer.The signature I'm trying to build is one that
catches the MSN messenger client on http ports.
I know there are already two signatures in Cisco IPS but they detect the
msn messenger application on tcp/1863 or through a proxy which is not my
case because altough they have been applied , on my tests my msn clients
still connect to the service through http ports so that's basically the
reason to build a customized signature to detect http sessions with the
following content in http header: Content-type:
application/x-msn-messenger\r\n which is what my wireshark capture got
on a regular msn session.

I tried the header regex setting it to catch specifically this string:
"application/x-msn-messenger" but it didn't work so there's something I
am missing.

Thank you again



-----Original Message-----
From: Gary Halleen (ghalleen) [mailto:ghalleen@cisco.com]
Sent: Martes, 21 de Noviembre de 2006 04:21 p.m.
To: Velasquez Venegas Jaime Omar; focus-ids@securityfocus.com
Subject: RE: Cisco IPS 5.1

Velasquez,

There are several ways to use Regex, or Regular Expressions, into a
Cisco IPS signature.  Here are the ways to use it with the service-http
engine:

1.  URI Regex:  Regular expression to search in the URI field.  The URI
field is defined as after the HTTP method (i.e. GET, POST) and before
the first CRLF.

2.  Arg Name Regex:  Regular expression to search in the HTTP arguments
field (variable names within form input, for instance).  This is defined
as after the '?' and in the entity body as defined by Content-Length.

3.  Arg Value Regex:  Regular expression to search in the HTTP arguments
field after Arg Name Regex is matched.  This is searching on the value
defined by the variable name, above.

4.  Header Regex:  Regular expression to search in the HTTP header.  The
header is defined as after the first CRLF, but before CRLFCRLF.

5.  Request Regex:  Regular expression to search in both the HTTP URI
and HTTP arguments fields.

In addition to these regex values, you can also specify maximum lengths
of URI, arguments, header, and request.

If you have specific things you're looking for, I'd be more than happy
to help you with the signature.  Additionally, our TAC is able to assist
in custom signature creation.

Gary


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Velasquez Venegas Jaime Omar
Sent: Tuesday, November 21, 2006 4:35 AM
To: focus-ids@securityfocus.com
Subject: Cisco IPS 5.1

I'm tryng to build a  customized signature on Cisco IPS 5.1 so it can
detect an specific content-type in http header.
I did my research and found that i should use an http inspection engine
built in Cisco IPS and a command called regex.
An example of this would be very helpful.

Thanks



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------




--
PhD
Intoto Softwares, Hyderabad, India

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Fuzzy AI IDS, Stefano Zanero
Next by Date:  Free tool for signature developers, Gary Golomb
Previous by Thread:  RE: Cisco IPS 5.1, Velasquez Venegas Jaime Omar
Next by Thread:  Fuzzy AI IDS, Branislav Gacesa
Indexes:  [Date] [Thread] [Top] [All Lists]