RE: Cisco "String Signature" oddity...

From: Christian Williams (williamsc@sc.wareonearth.com)
Date: 11/29/01 

From: "Christian Williams" <williamsc@sc.wareonearth.com>
To: "Mark Amos" <mark.amos@toast.net>, <focus-ids@securityfocus.com>
Subject: RE: Cisco "String Signature" oddity...
Date: Thu, 29 Nov 2001 17:14:15 -0500
Message-ID: <GOEKJKJBABNPOMHMFGIECEOHCDAA.williamsc@sc.wareonearth.com>

Mark,

Here's an link from Cisco's last IDS Bulletin where you can see how to
create custom string sigs. I highly recommend signing up for this bulletin
as Cisco also uses it for attack signature update notifications.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/index.htm

Regards,

Christian Williams
Network Security Engineer
WareOnEarth Communications, Inc.
mailto: williamsc@sc.wareonearth.com
office: 843-218-5306
mobile: 843-296-6654
http://www.wareonearth.com

> -----Original Message-----
> From: Mark Amos [mailto:mark.amos@toast.net]
> Sent: Thursday, November 29, 2001 4:25 PM
> To: focus-ids@securityfocus.com
> Subject: Cisco "String Signature" oddity...
>
>
>
> I've been trying to set up a "String Signature" but can't get
> it to fire, for some reason. The Cisco documentation says that
> the string matching is done with regular expressions, but there
> doesn't appear to be a document describing what the regular expression
> syntax is for the product (CSPM)
>
> I'm trying to detect the string ".pif" on port 80 as a test.
> Here are the "regular expressions" I've tried, with no success...
>
> .*\.pif$
> \.pif$
> [.]pif
>
> (I found some documentary evidence that the [] act as an escape
> for special characters in their regular expression syntax.)
>
> Anyone have any advice (or a link to somewhere that defines Cisco's
> IDS regular expression syntax. I couldn't find it on their web
> site.)
>
> I'm using CSPM 2.3.3 talking to a 4210 probe running 2.5(0)S0
>
> Thanks in advance,
>
> Mark
>
>
>
>
>

Relevant Pages

  • RE: Cisco "String Signature" oddity...
    ... Subject: Cisco "String Signature" oddity... ... Here's a great link, with documentation, to cisco's web site. ... doesn't appear to be a document describing what the regular expression ...
    (Focus-IDS)
  • RE: Cisco "String Signature" oddity...
    ... Subject: Cisco "String Signature" oddity... ... > doesn't appear to be a document describing what the regular expression ... > IDS regular expression syntax. ...
    (Focus-IDS)
  • Re: Get regular expression
    ... own tree structure. ... Expression compares a string character-by character, ... regular expression solution, which was about as close as one could get to ... the structure of the hierarchy can be inferred by using ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Get regular expression
    ... regular expression solution, which was about as close as one could get to ... first string. ... explode "ABLATION" and see subnodes of "ENDOMETRIAL ... "Heart 27.33/2" ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Regular expression optimization
    ... position in the replacement array of strings, ... > input string and a MatchEvaluator delegate. ... > The first part required combining the separate Regular Expression strings ...
    (microsoft.public.dotnet.general)