IDS 4.0 Custom signature - cacthing an URL

Answered Question
Jun 11th, 2003
User Badges:

Hi,


can anybody help me with what I thought it was a simple task but it happend to be a little more than that. I want to see an alarm when somebody is trying to browse the following URL: http://www.vasco.si/oddaljeno_delo.htm . Thanks.

Correct Answer by mcerha about 14 years 2 months ago

This will require a two step process. First, create a custom signature looking for the URI in question. For 3.x sensors, use the STATE.HTTP engine. For 4.0 sensors, use the SERVICE.HTTP engine. You'll fill in the UriRegex with '/oddaljeno_delo.htm'. This may be all you need. However, if you want to be exact, you'll need to create an alarm filter to only match on the IP address for the website in question. Please consult the IDS documentation for information on how to do this step.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mcerha Wed, 06/11/2003 - 05:12
User Badges:
  • Bronze, 100 points or more

This will require a two step process. First, create a custom signature looking for the URI in question. For 3.x sensors, use the STATE.HTTP engine. For 4.0 sensors, use the SERVICE.HTTP engine. You'll fill in the UriRegex with '/oddaljeno_delo.htm'. This may be all you need. However, if you want to be exact, you'll need to create an alarm filter to only match on the IP address for the website in question. Please consult the IDS documentation for information on how to do this step.

efink Wed, 06/11/2003 - 06:32
User Badges:

Thanks. It solved my problem. I tried with the whole URL and it didn't work, now with only the last couple of letters it works just fine.

Actions

This Discussion