Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AIC signature engine

Can someone please explain briefly when should I use the HTTP/FTP AIC signature engine over any other type?

I ask this question because for instance the FTP commands can be looked for in either String TCP engine, Atomic TCP or FTP AIC engine, but which one is best and why?

2 REPLIES
New Member

Re: AIC signature engine

The AIC HTTP/FTP analize more specific details related whith the services that de Service FTP, Service HTTP, (and much more than atomic signature) like what kind of objects can you download or not from a web server (image, video, audio, etc) or what kind of commands are performed in a FTP connection (you can analize much more details in HTTP connection, but in FTP connection only commands analisys are allowed)

You can use AIC to analize specific things after the session was established and want to control what the user do with your web server.

Use the HTTP service to find kinds of attacks like buffer overflows, or specifics attacks in the URL request like directory traversal.

I hope this help (please rate if it does)

Alberto Giorgi from Spain.

Cisco Employee

Re: AIC signature engine

Just to add to what Alberto has already said.

One of the distinct differences is that the AIC engines have a few signatures that can not be created in any other engines. These include:

12674 Alarm on non-http traffic

12676 Request Method Not Recognized

12686 Recognized Transfer Encoding

12673 Recognized Content Type

12900 Unrecognized FTP Command

Standard signatures will look for a string and will fire the alert when the string IS seen in the connection.

BUT the above signatures work differently. Instead of firing an alert when the string is seen, these signatures instead fire alert when NONE of the strings in the signature are seen in the connection.

In the case of 12674 the sensor will fire on web port connections that do NOT look like normal web connections (does not have a URL request). Some other protocol may being run on the standard web port. The sensor will alert on this non-web traffic on a web port and deny the connection.

Under normal signatrue writing we would have to write a signature to match every other protocol and see if it is running on a web port. That would be pretty much impossible given the number of protocols. So instead we can use this one sig and fire on everything that is NOT web traffic on a web port.

The other 4 signatures are very similar.

For example with 12676 it has a list of allowed web request methods (GET, HEAD, POST, etc...) If the sensor sees a request method that is NOT in this list, then it fires the alert (and denies the connection).

This prevents unknown web request methods from entering your network.

The other signatures listed above are similar constructed for the type of data they are built to look for.

233
Views
4
Helpful
2
Replies
CreatePlease login to create content