Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS 4215 http custom signature

Hello,

I am trying to build a custom signature that is matching http header or body that contains certain regular expression. Any Ideas how to do that ? I tried Web Server signature but there I can only match HTTP header.

6 REPLIES
Bronze

Re: IDS 4215 http custom signature

Try this:

1) Login to the sensor via IDM with an admin privileged account

2) Select “Configuration -> Sensing Engine -> Signature Wizard”

3) Select “Start the Wizard”

4) Select the “Web Server Signature” option

5) Set your SigID, Sig Name, Alert and User Notes as appropriate and click “Next”

6) Adjust the service ports (if necessary) and click “Next”

7) Given the intentions of your signature, leave the “Web Server Buffer Overflow Checks” fields empty and click “Next”

8) Put your regex into the “HTTP Request Regular Expression” because it will match the text within the entire HTTP request. Click “Next”

9) Set your alerting preferences (severity, etc.) and click “Next”

10) Adjust your alerting behaviour if you want (Click “Advanced”), or accept the defaults by clicking “Next”

11) Click on “Create” to generate the signature

I hope this helps,

Alex Arndt

Cisco Employee

Re: IDS 4215 http custom signature

This would take care of the search in request header. For body search I would consider string.tcp engine with port 80 as service port.

Bronze

Re: IDS 4215 http custom signature

You're right Madhu. I guess I had a brain fart.

BTW, couldn't you make it even better by substituting the $WEBPORTS variable for port 80 in the sig?

Alex Arndt

Cisco Employee

Re: IDS 4215 http custom signature

Yes, That would make it consistent with other service http signatures unless you are not interested in ports other than 80.

New Member

Re: IDS 4215 http custom signature

Can I do this with only one signature ? Does string.tcp will fire on HTTP header match ?

Bronze

Re: IDS 4215 http custom signature

It should, yes.

The only concern is that if your regex is fairly long, it may actually appear in more than one packet. The good news is that the 'string.tcp' engine will collect and analyse a steam of TCP packets, ensuring that the regex will still be detected.

I hope this helps,

Alex Arndt

187
Views
0
Helpful
6
Replies