cancel
Showing results for 
Search instead for 
Did you mean: 
stemax1
Level 8

Custom Attack with UserAgent IPS rules NSP

hi,

I need to help this question:

I have to create a signature ips in my ips NSP environment NSM 8.1.

the signature must take control of the "user-agent" that I have to inspect and possibly block.

how can I build it in a custom? you have a few examples that I import?

0 Kudos
4 Replies
d_aloy
Level 12

Re: Custom Attack with UserAgent IPS rules NSP

Hi Stefano

Have a look  at the IPS Policy/default, search for "HTTP: Malicious User Agent Detected" and have a look at the description.

You will see the "http-req-user-agent-header matches" XXX is the field you want to focus on - make sure you select HTTP as the protocol matching criteria.

Regards

David

0 Kudos
stemax1
Level 8

Re: Custom Attack with UserAgent IPS rules NSP

Hi D_aloy,

many tnx. I have the default policy as "Default Prevention"and i don't have signature "HTTP: Malicious User Agent Detected".

I solved it with a "snort" rule but it would be great if I could create a rule in McAfee format.

regards.

Stefano

0 Kudos
d_aloy
Level 12

Re: Custom Attack with UserAgent IPS rules NSP

Hi Stefano

it should not be difficult to create the UDS.

Regards

David

stemax1
Level 8

Re: Custom Attack with UserAgent IPS rules NSP

Many many tnx. I immediately try to do some policy.

best best regards 

0 Kudos