cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
656
Views
0
Helpful
6
Replies

IDS 4215 http custom signature

balien
Level 1
Level 1

Hello,

I am trying to build a custom signature that is matching http header or body that contains certain regular expression. Any Ideas how to do that ? I tried Web Server signature but there I can only match HTTP header.

6 Replies 6

a.arndt
Level 3
Level 3

Try this:

1) Login to the sensor via IDM with an admin privileged account

2) Select “Configuration -> Sensing Engine -> Signature Wizard”

3) Select “Start the Wizard”

4) Select the “Web Server Signature” option

5) Set your SigID, Sig Name, Alert and User Notes as appropriate and click “Next”

6) Adjust the service ports (if necessary) and click “Next”

7) Given the intentions of your signature, leave the “Web Server Buffer Overflow Checks” fields empty and click “Next”

8) Put your regex into the “HTTP Request Regular Expression” because it will match the text within the entire HTTP request. Click “Next”

9) Set your alerting preferences (severity, etc.) and click “Next”

10) Adjust your alerting behaviour if you want (Click “Advanced”), or accept the defaults by clicking “Next”

11) Click on “Create” to generate the signature

I hope this helps,

Alex Arndt

This would take care of the search in request header. For body search I would consider string.tcp engine with port 80 as service port.

You're right Madhu. I guess I had a brain fart.

BTW, couldn't you make it even better by substituting the $WEBPORTS variable for port 80 in the sig?

Alex Arndt

Yes, That would make it consistent with other service http signatures unless you are not interested in ports other than 80.

Can I do this with only one signature ? Does string.tcp will fire on HTTP header match ?

It should, yes.

The only concern is that if your regex is fairly long, it may actually appear in more than one packet. The good news is that the 'string.tcp' engine will collect and analyse a steam of TCP packets, ensuring that the regex will still be detected.

I hope this helps,

Alex Arndt

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: