Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Customized SERVICE HTTP signatures

Starting this thread to gather inputs on creating custom HTTP signatures to detect specific URL sites. Has anyone used the regex in IPS 5.x to specify certain web URL to log or deny ?

Ex: Signature that can detect, log or block www.yahoo.com

1 REPLY
New Member

Re: Customized SERVICE HTTP signatures

Here is one example, please share others:

the URI is the stuff after the URL:

Example:

www.cisco.com/index.cgi?name=billy

The URI is: /index.cgi?name=bily

The host field in http header is:

www.cisco.com

So look for [Ww][Ww][Ww][.][Cc][Ii][Ss][Cc][Oo][.][Cc][Oo][Mm] in the header section and if you know the rest of the URL you can append that section in the URI:

[\x2f\x5c][Ii][Nn][Dd][Ee][Xx][.][Cc][Gg][Ii]

142
Views
0
Helpful
1
Replies
CreatePlease to create content