IDS 4215 http custom signature

Unanswered Question
Mar 29th, 2005


I am trying to build a custom signature that is matching http header or body that contains certain regular expression. Any Ideas how to do that ? I tried Web Server signature but there I can only match HTTP header.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.arndt Wed, 03/30/2005 - 04:25

Try this:

1) Login to the sensor via IDM with an admin privileged account

2) Select “Configuration -> Sensing Engine -> Signature Wizard”

3) Select “Start the Wizard”

4) Select the “Web Server Signature” option

5) Set your SigID, Sig Name, Alert and User Notes as appropriate and click “Next”

6) Adjust the service ports (if necessary) and click “Next”

7) Given the intentions of your signature, leave the “Web Server Buffer Overflow Checks” fields empty and click “Next”

8) Put your regex into the “HTTP Request Regular Expression” because it will match the text within the entire HTTP request. Click “Next”

9) Set your alerting preferences (severity, etc.) and click “Next”

10) Adjust your alerting behaviour if you want (Click “Advanced”), or accept the defaults by clicking “Next”

11) Click on “Create” to generate the signature

I hope this helps,

Alex Arndt

mkodali Wed, 03/30/2005 - 07:35

This would take care of the search in request header. For body search I would consider string.tcp engine with port 80 as service port.

a.arndt Wed, 03/30/2005 - 08:36

You're right Madhu. I guess I had a brain fart.

BTW, couldn't you make it even better by substituting the $WEBPORTS variable for port 80 in the sig?

Alex Arndt

mkodali Wed, 03/30/2005 - 08:47

Yes, That would make it consistent with other service http signatures unless you are not interested in ports other than 80.

balien Thu, 03/31/2005 - 00:36

Can I do this with only one signature ? Does string.tcp will fire on HTTP header match ?

a.arndt Thu, 03/31/2005 - 04:33

It should, yes.

The only concern is that if your regex is fairly long, it may actually appear in more than one packet. The good news is that the 'string.tcp' engine will collect and analyse a steam of TCP packets, ensuring that the regex will still be detected.

I hope this helps,

Alex Arndt


This Discussion