Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS http custom sig

I'm not sure if this is possible, but I have a situation where I'm trying to identify an attacker who is constantly screen scraping my website. The challenge is that the attacker's traffic is first sent to a CDM so the source IP is modified before it gets to me. The CDM inserts a response header (X-Client-IP) into the HTTP request containg the the source address of the attacker.

attacker <-> CDM <-> my web server

How would I (or is it even possible) create a custom sig to look at the incoming response header "X-Client-IP" to identify 20 hits from the same attacker in 1 minute? The attackers address could change at any time, so I can't hard code his IP in the signature's "request regex" variable. I need the system to keep track of all incoming request headers and identify anyone who trips the 20 hit limit.

Thanks in advance!

1 REPLY
New Member

Re: IPS http custom sig

Hello,

To answer your first question, you could create a service-http signature on header-regex of:

^X-Client-IP:

(with perhaps [0-9]+\x2e[0-9]+\x2e[0-9]+\x2e[0-9] for IPv4 addresses).

As for the changing IP addresses, I don't know of any way to handle that within the regex. However, if the X-Client-IP address is within a certain range (ie, class C/B), you could include that in the regex above).

You might be able to do a suitable alert with event management software, however, I don't know of any way of doing exactly what you want with a single signature (though I may be wrong and it may be possible).

I have some questions which may help with writing a suitable signature though:

How different is the IP addresses used in X-Client-IP?

Have you tested if the CDM passes on the clients X-Client-IP header (if specified), or if it replaces the header completely (or possibly inserts an additional header).

If the client's X-Client-IP header is honoured, then the client might be inserting random IP addresses to try and trick software using X-Client-IP.

103
Views
0
Helpful
1
Replies