Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

False negative for bearshare (11004)

In the IPS there is a signature for bearshare (11004).

I have downloaded the latest version of bearshare -version 6.0 and tested it against the IPS. It seams that the writers of the software have changed their approach as the IPS is unable to detect the file download.

Is there someone from Cisco on this list that would be able to work with me to develop a new signature?

2 REPLIES
New Member

Re: False negative for bearshare (11004)

I would like to stop the ?bearshare login? from happening.

I have captured a packet of data and the packet contains

Hypertext Transfer Protocol

POST /registration/account.php?function=login HTTP/1.1\r\n

Request Method: POST

Request URI: /registration/account.php?function=login

Request Version: HTTP/1.1

1. How will the custom signature and the regex look in order to alert and deny the following string?

2. Must I use the string.http engine?

Gold

Re: False negative for bearshare (11004)

1. Take a look at 3101-1 for simple URL based example. You might even clone it to start your new sig. What you captured above does not include the full URL or the actual POST'ed data though. You might be able to tighten up the signature based on that data.

2. did you have another engine in mind? This engine lets you perform regex matches on specific parts of an HTTP request, so it seems like the best choice.

Does your outbound web traffic go through a proxy and do you do any outbound URL filtering? That is typically the best way to block HTTP traffic.

122
Views
0
Helpful
2
Replies
CreatePlease login to create content