Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
0
Helpful
4
Replies

Cisco NetRanger not tripping customized STRINGS.TCP Signatures.

dtaylor666
Level 1
Level 1

‎10-10-2003 09:28 AM - edited ‎03-09-2019 05:07 AM

Hello, I will make this quick and simple.

I need to verify that my STRING.TCP regular expressions are working, 'MyTestStringMatchesThis.

I've used a browser from inside my network going to google.com and searching through google for my string. I know that the browsers traffic is touching the sensors interface because I used snoop on the promiscuous interface to see my browsers IP address. Check, I saw the traffic, but the signature did not trip.

Is there any special way I can test my new signature and trip it?

Questions 2, where can I find Cisco's documetation for NetRangers customer Signatures Regular Expressions Syntax?

Thanks in advace,

Dan Taylor

Labels:
0 Helpful
4 Replies 4

dtaylor666
Level 1
Level 1

‎10-10-2003 12:37 PM

By the way, this product blows. If it can't capture one of it's own built in strings, then it truly blows. I believe I will unplug it and load snort onto the box!

0 Helpful

wardwalk
Cisco Employee
Cisco Employee

‎10-10-2003 12:59 PM

Hi Dan, can you provide the folling info?

Sensor version you're running.

The exact regex line you're using.

Thanks,

Ward.

0 Helpful

dtaylor666
Level 1
Level 1
In response to wardwalk

‎10-10-2003 05:45 PM

The sensors are upgraded to version 3.1, the analyzer is version 2.2.1 running on a Sun Ultra 80.

The excact regex I am testing with is:

filomido

I have several other suspect strings on which to look, but this seemed to be the most simplistic and the best one to test with.

0 Helpful

wardwalk
Cisco Employee
Cisco Employee
In response to dtaylor666

‎10-13-2003 11:33 AM

Hi Dan,

Here's a link to Signature Engine information (including regexs) info for 3.0:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2113/prod_technical_reference09186a00800eea84.html

I'm not sure what you meant by indicating the analyzer is version 2.2.1. Were you referring to the Unix Director (one option for managing sensors and viewing alarms)?

In order to investigate the issue, I'll need the following info. You can email the info to me at wardwalk@cisco.com.

1. sensor type

2. output of the "nrvers" command executed on the sensor itself.

3. the packetd.conf file from /usr/nr/etc on the sensor

4. the loggerd.conf file from /usr/nr/etc on the sensor

5. the SigUser.conf file from /usr/nr/etc on the sensor

6. a description of the test/tests that you're having trouble with. (If I understand correctly, you were having trouble with a custom signature as well as a "built-in" signautre.)

Thanks,

Ward.

0 Helpful
Customers Also Viewed These Support Documents