Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IDS 4.0 Custom signature - cacthing an URL

Hi,

can anybody help me with what I thought it was a simple task but it happend to be a little more than that. I want to see an alarm when somebody is trying to browse the following URL: http://www.vasco.si/oddaljeno_delo.htm . Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: IDS 4.0 Custom signature - cacthing an URL

This will require a two step process. First, create a custom signature looking for the URI in question. For 3.x sensors, use the STATE.HTTP engine. For 4.0 sensors, use the SERVICE.HTTP engine. You'll fill in the UriRegex with '/oddaljeno_delo.htm'. This may be all you need. However, if you want to be exact, you'll need to create an alarm filter to only match on the IP address for the website in question. Please consult the IDS documentation for information on how to do this step.

3 REPLIES
Community Member

Re: IDS 4.0 Custom signature - cacthing an URL

s

Bronze

Re: IDS 4.0 Custom signature - cacthing an URL

This will require a two step process. First, create a custom signature looking for the URI in question. For 3.x sensors, use the STATE.HTTP engine. For 4.0 sensors, use the SERVICE.HTTP engine. You'll fill in the UriRegex with '/oddaljeno_delo.htm'. This may be all you need. However, if you want to be exact, you'll need to create an alarm filter to only match on the IP address for the website in question. Please consult the IDS documentation for information on how to do this step.

Community Member

Re: IDS 4.0 Custom signature - cacthing an URL

Thanks. It solved my problem. I tried with the whole URL and it didn't work, now with only the last couple of letters it works just fine.

92
Views
0
Helpful
3
Replies
CreatePlease to create content