Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco NetRanger not tripping customized STRINGS.TCP Signatures.

Hello, I will make this quick and simple.

I need to verify that my STRING.TCP regular expressions are working, 'MyTestStringMatchesThis.

I've used a browser from inside my network going to google.com and searching through google for my string. I know that the browsers traffic is touching the sensors interface because I used snoop on the promiscuous interface to see my browsers IP address. Check, I saw the traffic, but the signature did not trip.

Is there any special way I can test my new signature and trip it?

Questions 2, where can I find Cisco's documetation for NetRangers customer Signatures Regular Expressions Syntax?

Thanks in advace,

Dan Taylor

4 REPLIES
New Member

Re: Cisco NetRanger not tripping customized STRINGS.TCP Signatur

By the way, this product blows. If it can't capture one of it's own built in strings, then it truly blows. I believe I will unplug it and load snort onto the box!

Cisco Employee

Re: Cisco NetRanger not tripping customized STRINGS.TCP Signatur

Hi Dan, can you provide the folling info?

Sensor version you're running.

The exact regex line you're using.

Thanks,

Ward.

New Member

Re: Cisco NetRanger not tripping customized STRINGS.TCP Signatur

The sensors are upgraded to version 3.1, the analyzer is version 2.2.1 running on a Sun Ultra 80.

The excact regex I am testing with is:

filomido

I have several other suspect strings on which to look, but this seemed to be the most simplistic and the best one to test with.

Cisco Employee

Re: Cisco NetRanger not tripping customized STRINGS.TCP Signatur

Hi Dan,

Here's a link to Signature Engine information (including regexs) info for 3.0:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2113/prod_technical_reference09186a00800eea84.html

I'm not sure what you meant by indicating the analyzer is version 2.2.1. Were you referring to the Unix Director (one option for managing sensors and viewing alarms)?

In order to investigate the issue, I'll need the following info. You can email the info to me at wardwalk@cisco.com.

1. sensor type

2. output of the "nrvers" command executed on the sensor itself.

3. the packetd.conf file from /usr/nr/etc on the sensor

4. the loggerd.conf file from /usr/nr/etc on the sensor

5. the SigUser.conf file from /usr/nr/etc on the sensor

6. a description of the test/tests that you're having trouble with. (If I understand correctly, you were having trouble with a custom signature as well as a "built-in" signautre.)

Thanks,

Ward.

82
Views
0
Helpful
4
Replies