Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Cisco IPS 5.1

Re: Cisco IPS 5.1

From: Sanjay R <2sanjayr_at_gmail.com>
Date: Thu, 23 Nov 2006 09:15:43 +0530

Hi Velasquez:
if it is only the string "Content-type:application/x-msn-messenger",
that you are interested in, then why do you want to go for a regular
expression? whether it is Cisco or snort or any matching device,
regular expression are costlier than fixed string search. Therefore,
if Cisco provides a string search like Snort does, i would go for
fixed string search. In the format of Snort, you rule should look
like:
-------------
alert tcp $INTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-Based MSN IM Access";
flow:to_server,established;content:"Content-type:application/x-msn-messenger";nocase;reference:bugtraq,2492;
reference:cve,2006-0000; classtype:web-application-attack;
sid:Not_defined; rev:0;
---------------
I think you can always convert the above rule to your Cisco format.

thanks
-Sanjay

On 11/22/06, Velasquez Venegas Jaime Omar <jaime_at_ulima.edu.pe> wrote:
> Hi Gary
>
> Thank your for your answer.The signature I'm trying to build is one that
> catches the MSN messenger client on http ports.
> I know there are already two signatures in Cisco IPS but they detect the
> msn messenger application on tcp/1863 or through a proxy which is not my
> case because altough they have been applied , on my tests my msn clients
> still connect to the service through http ports so that's basically the
> reason to build a customized signature to detect http sessions with the
> following content in http header: Content-type:
> application/x-msn-messenger\r\n which is what my wireshark capture got
> on a regular msn session.
>
> I tried the header regex setting it to catch specifically this string:
> "application/x-msn-messenger" but it didn't work so there's something I
> am missing.
>
> Thank you again
>
>
>
> -----Original Message-----
> From: Gary Halleen (ghalleen) [mailto:ghalleen_at_cisco.com]
> Sent: Martes, 21 de Noviembre de 2006 04:21 p.m.
> To: Velasquez Venegas Jaime Omar; focus-ids_at_securityfocus.com
> Subject: RE: Cisco IPS 5.1
>
> Velasquez,
>
> There are several ways to use Regex, or Regular Expressions, into a
> Cisco IPS signature. Here are the ways to use it with the service-http
> engine:
>
> 1. URI Regex: Regular expression to search in the URI field. The URI
> field is defined as after the HTTP method (i.e. GET, POST) and before
> the first CRLF.
>
> 2. Arg Name Regex: Regular expression to search in the HTTP arguments
> field (variable names within form input, for instance). This is defined
> as after the '?' and in the entity body as defined by Content-Length.
>
> 3. Arg Value Regex: Regular expression to search in the HTTP arguments
> field after Arg Name Regex is matched. This is searching on the value
> defined by the variable name, above.
>
> 4. Header Regex: Regular expression to search in the HTTP header. The
> header is defined as after the first CRLF, but before CRLFCRLF.
>
> 5. Request Regex: Regular expression to search in both the HTTP URI
> and HTTP arguments fields.
>
> In addition to these regex values, you can also specify maximum lengths
> of URI, arguments, header, and request.
>
> If you have specific things you're looking for, I'd be more than happy
> to help you with the signature. Additionally, our TAC is able to assist
> in custom signature creation.
>
> Gary
>
>
> -----Original Message-----
> From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com]
> On Behalf Of Velasquez Venegas Jaime Omar
> Sent: Tuesday, November 21, 2006 4:35 AM
> To: focus-ids_at_securityfocus.com
> Subject: Cisco IPS 5.1
>
> I'm tryng to build a customized signature on Cisco IPS 5.1 so it can
> detect an specific content-type in http header.
> I did my research and found that i should use an http inspection engine
> built in Cisco IPS and a command called regex.
> An example of this would be very helpful.
>
> Thanks
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
> n=intro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
> 

-- 
PhD
Intoto Softwares, Hyderabad, India
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Received on Nov 23 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos