Filter
Top Products
8-44
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Creating Custom Signatures
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
regex-string: This-is-my-new-Sig-regex
service-ports: 23
direction: to-service default: to-service
specify-exact-match-offset
-----------------------------------------------
no
-----------------------------------------------
specify-max-match-offset
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
specify-min-match-offset
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
swap-attacker-victim: false <defaulted>
-----------------------------------------------
sensor(config-sig-sig-str)#
Step 13 Exit signature definition submode.
sensor(config-sig-sig-str)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes:?[yes]:
Step 14 Press Enter to apply the changes or enter no to discard them.
Example Service HTTP Engine Signature
The Service HTTP engine is a service-specific string-based pattern-matching inspection engine. The
HTTP protocol is one of the most commonly used in networks of today. In addition, it requires the most
amount of preprocessing time and has the most number of signatures requiring inspection making it
critical to the overall performance of the system.
The Service HTTP engine uses a Regex library that can combine multiple patterns into a single
pattern-matching table allowing a single search through the data. This engine searches traffic directed
only to web services, or HTTP requests. You cannot inspect return traffic with this engine. You can
specify separate web ports of interest in each signature in this engine.
HTTP deobfuscation is the process of decoding an HTTP message by normalizing encoded characters
to ASCII equivalent characters. It is also known as ASCII normalization.
Before an HTTP packet can be inspected, the data must be deobfuscated or normalized to the same
representation that the target system sees when it processes the data. It is ideal to have a customized
decoding technique for each host target type, which involves knowing what operating system and web
server version is running on the target. The Service HTTP engine has default deobfuscation behavior for
the Microsoft IIS web server.