Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

IPS custom signature: HTTP not found

Hi,

I would like to create a signature which fires when a server reports HTTP Not found.

For testing purposes I have used space ([\x20]) for matching regexp. It does not work. When I

set the direction from "from-service" to "to-service" it works. Does someone have an idea?

There are no filters.

The signature is the following:

sig-id: 60008

subsig-id: 0

-----------------------------------------------

alert-severity: medium default: medium

sig-fidelity-rating: 100 default: 75

promisc-delta: 10 default: 0

sig-description

-----------------------------------------------

sig-name: HTTP not found v2 default: My Sig

sig-string-info: HTTP not found default: My Sig Info

sig-comment: Sig Comment default: Sig Comment

alert-traits: 0 default: 0

release: custom default: custom

-----------------------------------------------

engine

-----------------------------------------------

string-tcp

-----------------------------------------------

event-action: produce-alert default: produce-alert

strip-telnet-options: false default: false

specify-min-match-length

-----------------------------------------------

no

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

regex-string: [\x20]

service-ports: 80

direction: from-service default: to-service

specify-exact-match-offset

-----------------------------------------------

no

-----------------------------------------------

specify-max-match-offset

-----------------------------------------------

no

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

specify-min-match-offset

-----------------------------------------------

no

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

swap-attacker-victim: false default: false

-----------------------------------------------

-----------------------------------------------

event-counter

-----------------------------------------------

event-count: 1 default: 1

event-count-key: Axxx default: Axxx

specify-alert-interval

-----------------------------------------------

no

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

4 REPLIES
Silver

Re: IPS custom signature: HTTP not found

The "from-service" just means the signature fires when the source port is 80. The default, "to-service", fires only if you are connecting to a destination port of 80. Basically the "from-service" fires on return web traffic only, which is what should happen. Not sure why they made the default "to-service" (doesn't make much sense).

New Member

Re: IPS custom signature: HTTP not found

Yes, you are right. I want to check traffic ("Not found") in packetes which source port is tcp/80. I think "from-service" should be used as seen in the config. (I hope default: to-service just means that the default setting is to-service, but now the setting is "from-service")

Gold

Re: IPS custom signature: HTTP not found

Take a look at 6256-0 for an example of how Cisco does this. That signature detects HTTP status code 401. Clone and change to 404 and you're in business. You'll want to tweak the event count and alert frequency settings of course.

New Member

Re: IPS custom signature: HTTP not found

Thank you very much, it works.

168
Views
5
Helpful
4
Replies
CreatePlease to create content