Cisco Systems IPS4510K9 manual Example Service Http Engine Signature

Chapter 7 Defining Signatures

Creating Custom Signatures

Example Service HTTP Engine Signature

The Service HTTP engine is a service-specific string-based pattern-matching inspection engine. The HTTP protocol is one of the most commonly used in networks of today. In addition, it requires the most amount of preprocessing time and has the most number of signatures requiring inspection making it critical to the overall performance of the system.

The Service HTTP engine uses a Regex library that can combine multiple patterns into a single pattern-matching table allowing a single search through the data. This engine searches traffic directed only to web services, or HTTP requests. You cannot inspect return traffic with this engine. You can specify separate web ports of interest in each signature in this engine.

HTTP deobfuscation is the process of decoding an HTTP message by normalizing encoded characters to ASCII equivalent characters. It is also known as ASCII normalization.

Before an HTTP packet can be inspected, the data must be deobfuscated or normalized to the same representation that the target system sees when it processes the data. It is ideal to have a customized decoding technique for each host target type, which involves knowing what operating system and web server version is running on the target. The Service HTTP engine has default deobfuscation behavior for the Microsoft IIS web server.

The following options apply:

•de-obfuscate {true false}—Applies anti-evasive deobfuscation before searching.

•default—Sets the value back to the system default setting.

•event-action—Specifies the action(s) to perform when alert is triggered:

–deny-attacker-inline(inline only)—Does not transmit this packet and future packets from the attacker address for a specified period of time.

–deny-attacker-service-pair-inline(inline only)—Does not transmit this packet and future packets on the attacker address victim port pair for a specified period of time.

–deny-attacker-victim-pair-inline(inline only)—Does not transmit this packet and future packets on the attacker/victim address pair for a specified period of time.

–deny-connection-inline(inline only)—Does not transmit this packet and future packets on the TCP flow.

–deny-packet-inline(inline only)—Does not transmit this packet.

–log-attacker-packets—Starts IP logging of packets containing the attacker address.

–log-pair-packets—Starts IP logging of packets containing the attacker-victim address pair.

–log-victim-packets—Starts IP logging of packets containing the victim address.

–produce-alert—Writes the event to the Event Store as an alert.

–produce-verbose-alert—Includes an encoded dump (possibly truncated) of the offending packet in the alert.

–request-block-connection—Sends a request to the ARC to block this connection.

–request-block-host—Sends a request to the ARC to block this attacker host.

–request-rate-limit—Sends a rate limit request to the ARC to perform rate limiting.

–request-snmp-trap—Sends a request to the Notification Application component of the sensor to perform SNMP notification.

–reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow.