Cisco Support Community
Community Member

IDSM string signature matching

I am trying to setup an string expression to look for certain keyword in TCP data stream. Try so far with out any luck. Can anybody shed some light here?

IDSM 3.0.5 with CSPM 2.3.3i.

The keyword is "kzcount"

Here is what I have:

"[Kk][Zz][Cc][Oo][Uu][Nn][Tt].*" port 80 To&From

Is that right? Thanks

Cisco Employee

Re: IDSM string signature matching

Remove the .* from the end of the regular expression.

Also try removing the From for the direction. Trying to match a regular expression in traffic coming From your web server will significantly slow the performance of the IDSM. The IDSM has multiple signatures for traffic going To the web server, but by default no signatures for traffic From a web server because of the performance hit.

This is because of the huge amounts of traffic that are generated by web servers serving out jpgs, mpgs, etc.. When you put in a regular expression like this, the IDSM now has to sift through all of that binary traffic looking for a match.

If it still doesn't work, then try changing port 80 to port 23 for a quick tet. The you can try a telnet session with kzcount typed and see if it fires. If it fires on telnet then move it back to port 80 and try it on port 80 again.

Community Member

Re: IDSM string signature matching

I can not really use Telnet, since it send ach character individually. I will try to use a diffferent telnet program or from a router so I can change the dispatch.

I also try ur suggestion Just "[Kk][Zz][Cc][Oo][Uu][Nn][Tt]" (exactly like that, even to the quotes), then I tried to reload this pages, since there is word kzcount. Still can not see it.

Is string matching works properly in IDSM blade?

CreatePlease to create content