06-10-2007 04:45 AM - edited 03-10-2019 03:39 AM
Hello,
Using the 4260-IPS I'd like to create a signature using regex that can fire on a specific certificate name. In a sniffer trace I can see the entry as "Name=Grac". I tried using the following regex but it didnt work.
[Nn][Aa][Mm)[Ee][\=][Gg][Rr][Aa][Cc]
Rick
06-10-2007 08:11 AM
On IDM
Configuration > Signature Definition > Custom Signature Wizard than
Choose TCP as the protocol to inspect >
Click the Single TCP Connection radio button >
Select Other like service type >
Enter signature parameters >
Select your event action
To Regex string filed enter
[Nn][Aa][Mm)[Ee][\=][Gg][Rr][Aa][Cc]
enter 80 in the Service Ports field
and you should use from service
Or you can clone a tcp string from any other signatures and change the fields
06-10-2007 12:50 PM
Thanks rodrigogurrit. I tried this but it does not work. I should clarify that I am trying to fire on SSL(port443) in this case. I adjusted the service port from 80 to 443 but kept everything else the same. What I'm trying to do is fire on the SSL certificate name which I can see in a trace.
Rick
06-10-2007 06:03 PM
hummm its a good question because 443 is encrypted and the IPS cannot see what is going on.
Sorry
06-11-2007 06:16 AM
get rid of the backslash, the equal sign is not a metacharacter that needs escaping. What engine are you using?
I'm guessing you're talking about a server certs? I would suggest the "string tcp" engine and make sure you are using the direction "from service".
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: