Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Sig 5474 - Doesn't come close to packet contents

We had sig 5474 fire on two sensors. After looking at the packet and then the Regex in the sig, this just doesn't make sense to me.

The Regex:

([%]20|[=])[Ss][Ee][Ll][Ee][Cc][Tt]([%]20|[+])[^\r\n\x00-\x19\x7F-\xFF]+([%]20|[+])[Ff][Rr][Oo][Mm]([%]20|[+])

The Packet:

4.0 (compatible;MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.1.4322)..Host: www.trustar-rs.com..Content-Length: 611..Connection: Keep-Alive..Cacheeep-Alive..Cachehe..Cookie: <removedforsecurity>=QXIPUNSdmzweb104CKQOO; RANDOM_ID=f6a8759283514372bfadf7d4677bd5f0....

Any input on this one?

Thanks.

-David

1 REPLY
Bronze

Re: Sig 5474 - Doesn't come close to packet contents

The link below will give you details about the regular expression used in IPS

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_command_reference_chapter09186a00804a8284.html

135
Views
0
Helpful
1
Replies
CreatePlease to create content