Solved: How to make an IPS search inside of a html for a string ?

Rodrigo Gurriti · ‎06-01-2007

I need to make the cisco IPS search for the string eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49 inside any *.html

I tried service http ( Request Regex )and AIC http (Msg Body Patten) but no luck

Thank you

m.sir · ‎06-04-2007

Using IDM

Configuration > Signature Definition > Custom Signature Wizard than

Choose TCP as the protocol to inspect >

Click the Single TCP Connection radio button >

Select Other like service type >

Enter signature parameters >

Select your event action

To Regex string filed enter eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49

enter 80 in the Service Ports field

M.

View solution in original post

m.sir · ‎06-04-2007

Using IDM

Configuration > Signature Definition > Custom Signature Wizard than

Choose TCP as the protocol to inspect >

Click the Single TCP Connection radio button >

Select Other like service type >

Enter signature parameters >

Select your event action

To Regex string filed enter eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49

enter 80 in the Service Ports field

M.

Rodrigo Gurriti · ‎06-04-2007

Thanks M,

I'd also tried the string too but I really found what causing the problem.

My web browser was not really reloading, when I was testing the signature, (seamonkey) it was only checking the file online and comparing to the cached one to see if it was outdated and since it wasnt the browser never really reloaded the web page.

So What I had was:

- It trigged an event the 1st time that you try (with a clean cache)

- It would not trigger again unless I cleaned the cache.

- On iexplorer it would trigger some times if I did the reload but not always.

So What I did was I put the tcp string to capture ftp and by doing that the signature always trigged on the right time. Then I ran some ethereal and I figured out the trick on the web browser.

One more time thank you