I have the IDS appliance, but it should be doable. I've tried various engines and I'm not making any progress with my testing though. I'm looking to duplicate the following snort rule, can a Cisco sig analyst help us out here?:
I don't remember how I tested and why it wan't working, but it should be pretty easily actually using the service HTTP engine. I would focus on using the content-type header in the response (versus looking at the GET request). Clone 5343-0. Change the regex to something like this:
FWIW, there are many more content-types that are "executable", but that's a big one. You'd need a rule for each content type. And of course this won't work for HTTPS or pure FTP downloads. For a start on some others, try here:
This engine only inspects traffic going FROM a client TO a webserver. An uri regex of [.][eE][xX][eE]\x20 should do just fine to keep clients from requesting a file like that.
b) engine string-tcp
inspect traffic coming FROM #WEBPORTS
Just the like the snort rule a [\r\n][\r\n][\r\n][\r\n]MZ should do. If you watch the download of an .exe in Wireshark, you'll see the 2 \r\n followed by the first bytes of the exe, which in Windows usually starts with 'MZ'. Btw, since it's the same signature bytes for .dlls, this regex would also block the download of .dll files
Thank you very much. I imagine option A will work just fine but I'll have to look into these and see which option will be better for us. This will mainly be used to block malware from downloading executables but will also help stop the occasional user download.
doh! I think I knew that at one time. That's really unfortunate, but that would probably explain why my tests didn't work back then. Use a GET request is not particularly useful. The content-type is what is primarily used by the browser to determine how the file is treated and there may not be a filename at all in the GET line (i.e. ?getfile=1 can return a file). go with option 2.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :