IPS custom signature: HTTP not found

csiszerakos2 · ‎09-25-2006

Hi,

I would like to create a signature which fires when a server reports HTTP Not found.

For testing purposes I have used space ([\x20]) for matching regexp. It does not work. When I

set the direction from "from-service" to "to-service" it works. Does someone have an idea?

There are no filters.

The signature is the following:

sig-id: 60008

subsig-id: 0

-----------------------------------------------

alert-severity: medium default: medium

sig-fidelity-rating: 100 default: 75

promisc-delta: 10 default: 0

sig-description

-----------------------------------------------

sig-name: HTTP not found v2 default: My Sig

sig-string-info: HTTP not found default: My Sig Info

sig-comment: Sig Comment default: Sig Comment

alert-traits: 0 default: 0

release: custom default: custom

-----------------------------------------------

engine

-----------------------------------------------

string-tcp

-----------------------------------------------

event-action: produce-alert default: produce-alert

strip-telnet-options: false default: false

specify-min-match-length

-----------------------------------------------

no

-----------------------------------------------

regex-string: [\x20]

service-ports: 80

direction: from-service default: to-service

specify-exact-match-offset

-----------------------------------------------

no

-----------------------------------------------

specify-max-match-offset

-----------------------------------------------

no

-----------------------------------------------

specify-min-match-offset

-----------------------------------------------

no

-----------------------------------------------

swap-attacker-victim: false default: false

-----------------------------------------------

event-counter

-----------------------------------------------

event-count: 1 default: 1

event-count-key: Axxx default: Axxx

specify-alert-interval

-----------------------------------------------

no

-----------------------------------------------

jwalker · ‎09-25-2006

The "from-service" just means the signature fires when the source port is 80. The default, "to-service", fires only if you are connecting to a destination port of 80. Basically the "from-service" fires on return web traffic only, which is what should happen. Not sure why they made the default "to-service" (doesn't make much sense).

csiszerakos2 · ‎09-25-2006

Yes, you are right. I want to check traffic ("Not found") in packetes which source port is tcp/80. I think "from-service" should be used as seen in the config. (I hope default: to-service just means that the default setting is to-service, but now the setting is "from-service")

mhellman · ‎09-26-2006

Take a look at 6256-0 for an example of how Cisco does this. That signature detects HTTP status code 401. Clone and change to 404 and you're in business. You'll want to tweak the event count and alert frequency settings of course.

csiszerakos2 · ‎09-26-2006

Thank you very much, it works.