Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IPS - Custom Signature url Alert

I just need a little help with one simple custom signature.

I am running a ASA-SSM-10 on a ASA5520.

IPS Version: 7.0(7)E4

I've been trying to customized a signature to send/log alerts if someone is accessing www.dropbox.com and can't get it to work.

I have read multiple posts and ended up configuring the custom signature like this: (based on Cisco 3204 signature)

Using engine == Service-HTTP

URI regex == [.][Dd][Rr][Oo][Pp][Bb][Oo][Xx]

service ports == #WEBPORTS

The status is enabled and the Event action is Produce Alert.

Am I missing something? I am not getting any alerts.

I have attached a screenshot of the custom sig.

Any help will be great, thanks in advance.

Zeek

Everyone's tags (6)
4 REPLIES
VIP Purple

Re: IPS - Custom Signature url Alert

That can't work as Dropbox is using HTTPS and the IPS can't look into these encrypted sessions. Your signature will only work for sessions that use plain HTTP.

New Member

Re: IPS - Custom Signature url Alert

OK, thank you for your quick response.

Cisco Employee

IPS - Custom Signature url Alert

Hi,

Actually, "dropbox.com" will appear in the Hostname in the traffic, but in the custom signature, you are using uri-regex. If you change it to header-regex, it might work.

Secondly, we have sig 38686 subsigs 0 and 1 to detect Dropbox usage. Subsig 0 in service-http is what you might be looking for. These sigs were released in S604.

Hope this helps,

Radhika

New Member

IPS - Custom Signature url Alert

Thanks a lot! It is what I needed to know.

903
Views
8
Helpful
4
Replies
CreatePlease to create content