IPS regex for a certificate name

Unanswered Question
Jun 10th, 2007


Using the 4260-IPS I'd like to create a signature using regex that can fire on a specific certificate name. In a sniffer trace I can see the entry as "Name=Grac". I tried using the following regex but it didnt work.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Rodrigo Gurriti Sun, 06/10/2007 - 08:11


Configuration > Signature Definition > Custom Signature Wizard than

Choose TCP as the protocol to inspect >

Click the Single TCP Connection radio button >

Select Other like service type >

Enter signature parameters >

Select your event action

To Regex string filed enter


enter 80 in the Service Ports field

and you should use from service

Or you can clone a tcp string from any other signatures and change the fields

rickellis Sun, 06/10/2007 - 12:50

Thanks rodrigogurrit. I tried this but it does not work. I should clarify that I am trying to fire on SSL(port443) in this case. I adjusted the service port from 80 to 443 but kept everything else the same. What I'm trying to do is fire on the SSL certificate name which I can see in a trace.


Rodrigo Gurriti Sun, 06/10/2007 - 18:03

hummm its a good question because 443 is encrypted and the IPS cannot see what is going on.


mhellman Mon, 06/11/2007 - 06:16

get rid of the backslash, the equal sign is not a metacharacter that needs escaping. What engine are you using?

I'm guessing you're talking about a server certs? I would suggest the "string tcp" engine and make sure you are using the direction "from service".


This Discussion