cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
519
Views
5
Helpful
4
Replies

IPS misuse of port 80

Rodrigo Gurriti
Level 3
Level 3

what signature catches the misuse of port 80 ?

1 Accepted Solution

Accepted Solutions

hoogen_82
Level 4
Level 4

The HTTP Inspection engine feature allows users to detect and prohibit HTTP connections?such as tunneling over port 80, unauthorized request methods, and non-HTTP compliant file transfers.

This gives better idea for IOS based IPS

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455acb.html

-Hoogen

Do rate if this post helps :)

View solution in original post

4 Replies 4

hoogen_82
Level 4
Level 4

The HTTP Inspection engine feature allows users to detect and prohibit HTTP connections?such as tunneling over port 80, unauthorized request methods, and non-HTTP compliant file transfers.

This gives better idea for IOS based IPS

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455acb.html

-Hoogen

Do rate if this post helps :)

Well I really meant the IPS Appliances not the router IPS

I wanted to stop some p2p trafficking using a ips 4215

Hi,

I kind of tried looking around for a solution for your problem the only thing I seem to come up with is Custom signature.

I picked up something for Kazaa a p2p application. THe first thing is that you need to capture those packets using ethereal or any packet sniffer tools. Pick up a sample traffic. Look for something in the traffic sample that will identify the Kazaa application.

Signature identify key parts of the traffic which wouldn't change. For Kazaa the payload seems to have the same last 6 bytes in multiple captures.

Traffic characteristics, usually an UDP packet, Payload always ends with the same 6 bytes, payload ends in "kazaa" followed by null (ox00)

Custom Signature Settings

- Engine: ATOMIC.IP

- L4 Protocol of UDP

- Payload Regex: [Kk][Aa][Zz][Aa][Aa]\x00

Create a custom signature based on this:

In event action you could ask for a Produce Verbose alert. Specify the Layer 4 protocol. Use the Payload inspection to specify the regex.

Leave the signature turned on for atleast a week or two. And check for results.

But you have pre-defined signatures too for p2p traffic clients like

Kazaa 5534 sub sig id 0,1,&2.

Bittorent 11020,11030.

edonkey 11018.

MOst engines doing this inspection would be string.tcp or atomic.ip.

You can search your signature details in this site and then tune the signature to deny the connection inline.

http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x

HTH

Hoogen

Do rate helpful posts :)

Hey man Thanks for all the help !!! I found the answer... the signature 12674 does stop non-http traffic.

But I'll keep in mind the custom atomic signatures, they are very handy .

Thanks for your help !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: