Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS regex for a certificate name

Hello,

Using the 4260-IPS I'd like to create a signature using regex that can fire on a specific certificate name. In a sniffer trace I can see the entry as "Name=Grac". I tried using the following regex but it didnt work.

[Nn][Aa][Mm)[Ee][\=][Gg][Rr][Aa][Cc]

Rick

4 REPLIES
Community Member

Re: IPS regex for a certificate name

On IDM

Configuration > Signature Definition > Custom Signature Wizard than

Choose TCP as the protocol to inspect >

Click the Single TCP Connection radio button >

Select Other like service type >

Enter signature parameters >

Select your event action

To Regex string filed enter

[Nn][Aa][Mm)[Ee][\=][Gg][Rr][Aa][Cc]

enter 80 in the Service Ports field

and you should use from service

Or you can clone a tcp string from any other signatures and change the fields

Community Member

Re: IPS regex for a certificate name

Thanks rodrigogurrit. I tried this but it does not work. I should clarify that I am trying to fire on SSL(port443) in this case. I adjusted the service port from 80 to 443 but kept everything else the same. What I'm trying to do is fire on the SSL certificate name which I can see in a trace.

Rick

Community Member

Re: IPS regex for a certificate name

hummm its a good question because 443 is encrypted and the IPS cannot see what is going on.

Sorry

Gold

Re: IPS regex for a certificate name

get rid of the backslash, the equal sign is not a metacharacter that needs escaping. What engine are you using?

I'm guessing you're talking about a server certs? I would suggest the "string tcp" engine and make sure you are using the direction "from service".

151
Views
0
Helpful
4
Replies
CreatePlease to create content