Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS misuse of port 80

what signature catches the misuse of port 80 ?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: IPS misuse of port 80

The HTTP Inspection engine feature allows users to detect and prohibit HTTP connections?such as tunneling over port 80, unauthorized request methods, and non-HTTP compliant file transfers.

This gives better idea for IOS based IPS

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455acb.html

-Hoogen

Do rate if this post helps :)

4 REPLIES
Silver

Re: IPS misuse of port 80

The HTTP Inspection engine feature allows users to detect and prohibit HTTP connections?such as tunneling over port 80, unauthorized request methods, and non-HTTP compliant file transfers.

This gives better idea for IOS based IPS

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455acb.html

-Hoogen

Do rate if this post helps :)

Community Member

Re: IPS misuse of port 80

Well I really meant the IPS Appliances not the router IPS

I wanted to stop some p2p trafficking using a ips 4215

Silver

Re: IPS misuse of port 80

Hi,

I kind of tried looking around for a solution for your problem the only thing I seem to come up with is Custom signature.

I picked up something for Kazaa a p2p application. THe first thing is that you need to capture those packets using ethereal or any packet sniffer tools. Pick up a sample traffic. Look for something in the traffic sample that will identify the Kazaa application.

Signature identify key parts of the traffic which wouldn't change. For Kazaa the payload seems to have the same last 6 bytes in multiple captures.

Traffic characteristics, usually an UDP packet, Payload always ends with the same 6 bytes, payload ends in "kazaa" followed by null (ox00)

Custom Signature Settings

- Engine: ATOMIC.IP

- L4 Protocol of UDP

- Payload Regex: [Kk][Aa][Zz][Aa][Aa]\x00

Create a custom signature based on this:

In event action you could ask for a Produce Verbose alert. Specify the Layer 4 protocol. Use the Payload inspection to specify the regex.

Leave the signature turned on for atleast a week or two. And check for results.

But you have pre-defined signatures too for p2p traffic clients like

Kazaa 5534 sub sig id 0,1,&2.

Bittorent 11020,11030.

edonkey 11018.

MOst engines doing this inspection would be string.tcp or atomic.ip.

You can search your signature details in this site and then tune the signature to deny the connection inline.

http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x

HTH

Hoogen

Do rate helpful posts :)

Community Member

Re: IPS misuse of port 80

Hey man Thanks for all the help !!! I found the answer... the signature 12674 does stop non-http traffic.

But I'll keep in mind the custom atomic signatures, they are very handy .

Thanks for your help !

187
Views
5
Helpful
4
Replies
CreatePlease to create content