Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Need solution


Kindly provde me solution how can i implement the bellow.We are using IDS-4235 v 4.1..

Update: In addition to the domains mentioned above, more malicious domains

are being reported. The comple list of malicious domains is as follows:

uhave post card DOT com

merrychristmasdude DOT com

americangreetings DOT b719 DOT cn

americangreetings DOT 846123 DOT cn

lbss DOT 3322 DOT org

happycards2008 DOT com

newyear2008 DOT com

newyearcards2008 DOT com

newyearwithlove DOT com

Note: Users are advised to visit this page regularly to get the updated

list of malicious domains.

Users are advised to implement following countermeasures:

It has been observed that the malicious domains such as mentioned above are

hosted by the Storm Botnet mostly using nginx/0.5.17 web server . Consider

blocking packets from the nginx/0.5.17 web server through Proxy or set an

appropriate alert/rule at IDS/IPS

Cisco Employee

Re: Need solution

you can use the string.tcp engine, with the following regex:


*from* #WEBPORTS

to detect the nginx webserver.

You can also use string.udp (setting *to* port 53) to trigger alerts on dns requests for the domains mentioned. For the dns regex, you need to be aware that the query will take the form of:

length-byte -- characters -- length-byte -- characters

So something like 2 characters, 6 characters, then 3 characters. Gets strung together as such:


That is the regex to catch regardless of case in a dns query (UDP).

(note that the dots in the name, do not appear in the regex string)

New Member

Re: Need solution

Thank q for ur response.

CreatePlease to create content