06-01-2007 04:16 PM - edited 03-10-2019 03:38 AM
I need to make the cisco IPS search for the string eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49 inside any *.html
I tried service http ( Request Regex )and AIC http (Msg Body Patten) but no luck
Thank you
Solved! Go to Solution.
06-04-2007 05:33 AM
Using IDM
Configuration > Signature Definition > Custom Signature Wizard than
Choose TCP as the protocol to inspect >
Click the Single TCP Connection radio button >
Select Other like service type >
Enter signature parameters >
Select your event action
To Regex string filed enter eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49
enter 80 in the Service Ports field
M.
06-04-2007 05:33 AM
Using IDM
Configuration > Signature Definition > Custom Signature Wizard than
Choose TCP as the protocol to inspect >
Click the Single TCP Connection radio button >
Select Other like service type >
Enter signature parameters >
Select your event action
To Regex string filed enter eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49
enter 80 in the Service Ports field
M.
06-04-2007 06:49 PM
Thanks M,
I'd also tried the string too but I really found what causing the problem.
My web browser was not really reloading, when I was testing the signature, (seamonkey) it was only checking the file online and comparing to the cached one to see if it was outdated and since it wasnt the browser never really reloaded the web page.
So What I had was:
- It trigged an event the 1st time that you try (with a clean cache)
- It would not trigger again unless I cleaned the cache.
- On iexplorer it would trigger some times if I did the reload but not always.
So What I did was I put the tcp string to capture ftp and by doing that the signature always trigged on the right time. Then I ran some ethereal and I figured out the trick on the web browser.
One more time thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide