Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS Custom Signature - .torrent - Possible?

Hi I was wondering if it is possible to create a custom signature that would produce an alert whenever someone clicks on a .torrent link..

I am using Build Version: 5.1(3)S247.0

Just started using the IPS so any help or pointers will be greatly appreciated

9 REPLIES
Gold

Re: IPS Custom Signature - .torrent - Possible?

Yes, should be possible. You can inspect the URL or you can inspect the HTTP headers (the latter will probably trigger less false positives).

Take a look at sig 3204-0 for a pretty simple example of URL inspection.

Take a look at sig 5800-0 for an example that inspects HTTP headers. I'm not a big torrent user, but I think you will be looking for

"Content-Type: application/x-bittorrent"

Cisco Employee

Re: IPS Custom Signature - .torrent - Possible?

You could do the following:

Using engine == Service-HTTP

URI regex == [.][Tt][Oo][Rr][Rr][Ee][Nn][Tt]

service ports == #WEBPORTS

that will fire any time ".torrent" is seen in the uri. So anytime someone clicks on a link the contains ".torrent" (case insensitive), the alert would fire.

Gold

Re: IPS Custom Signature - .torrent - Possible?

being nitpicky, but you didn't escape the dot. won't that pretty much trigger on the word "torrent" anywhere in the URL?

New Member

Re: IPS Custom Signature - .torrent - Possible?

THX for your help

Cisco Employee

Re: IPS Custom Signature - .torrent - Possible?

Within a character class you don't need to escape the dot.

Gold

Re: IPS Custom Signature - .torrent - Possible?

you're absolutely right, I forgot about that;-)

New Member

Re: IPS Custom Signature - .torrent - Possible?

THX for your help

New Member

IPS Custom Signature - .torrent - Possible?

I've had no luck with this.

I've been trying to customized a signature to alert me when someone is browsing www.dropbox.com and can't get it to work.

I have configured the following:

Using engine == Service-HTTP

URI regex == [.][Dd][Rr][Oo][Pp][Bb][Oo][Xx]

service ports == #WEBPORTS

The status is enabled and the Event action is Produce Alert.

Am I missing something? I am not getting any alerts.

Cisco Employee

IPS Custom Signature - .torrent - Possible?

Hi,

I replied in the other thread. Please try with header-regex instead of uri-regex, because the host name will appear in the HTTP header in the traffic.

Also, we have sig 38686 detecting dropbox usage. Perhaps those are what you are looking for.

1282
Views
19
Helpful
9
Replies
CreatePlease to create content