IPS custom signature to filter email domain

Similar Messages

• WLC IPS custom signature file

  Hi,
  Where can I download the WLC IPS custom signature file? Is WLC support openLdap for user web or 802.1x authentication?
  Best Regards,
  Jackson Ku

  The documentation for 5.1 is located at:
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a008055de07.html
  I believe the regex you want is:
  [Mm][Aa][Ii][Ll][\t][Ff][Rr][Oo][Mm][:][\x21-\x7E]+[@][Ss][Ee][Xx].[Cc][Oo][Mm]
  The + field allows for any printable characters (but there must be at least 1) in the senders email address. You should use the SMTP state machine with the SMTP Commands state set, direction to service port 25.

• Skip mail signature for internal emails (same domain as me)?

  Is it possible to set up the signature in Apple Mail (3.5) to be attached to all email EXCEPT for those going to internal recipients -- those that use the same email domain as myself?

  Sorry to break the bad news here..
  Since they are in the same Exchange org, it would be impossible to send it through an external relay server before the other user gets it.
  Transport rule does not have an option to send it through an external relay if any conditions match. In fact, transport rule cannot control any routing behavior except modify some recipients.
  This will be possible only by creating another org for newdomain.com users and using a smart host to send between each other.

• Using IPS 6.3 customized signatures in CS MARS

  A client has a Cisco IPS 6.3 module installed in a Catalyst 6500, *with fully customized signatures* which generate thousands of alerts clearly visible in its IPS Event Viewer.
  MARS is pulling info from that IPS, but the customized signatures do not appear in any Incident. Is it possible for MARS to pull all those customized signatures??
  Thanks in advance

  The first step is to get MARS to parse the event. The next step is to create the necessary inspection rules.
  You can start here:
  http://ciscomars.blogspot.com/2008/03/custom-ips-signatures-with-cisco-mars.html

• C370 control between internal email domains

  Hi All,
  I have a customer where they have a few internal mail servers and the mail server’s email gateway are pointed to the C370 ironport.
  They have a special requirement where they would like to block certain users from one mail server to be communicating with a set of people in another mail server.
  They also have requirements like certain users can only send email to other certain users in another internal email domain.
  Example:
  a) [email protected] can only email [email protected]
  b) [email protected] cannot sent emails to [email protected]
  What I did is create mail policies for each requirement. For a) what I did is “allow from [email protected] to [email protected]”; then “deny [email protected] to any email domain”. As for b), what I did was “deny from [email protected] to [email protected]”; then “allow from [email protected] to any email domains”.
  My question is:
  1. Do I apply these policies on the incoming mail policies or outgoing? Taking into consideration I have a 2-data port topology where data-1 is configured to face the internet (public) and data-2 is facing the LAN (private)
  2. Will my mail policy work?
  Many thanks.

  Hi Andreas,
  Because I want to block [email protected] to send email to [email protected] only, I will have to define specific policies that drops [email protected] to [email protected], then allow [email protected] to every other email. Something like firewall rules performing specific deny and allow any any at the last line.
  I performed some internal testings and I realize that in order to specifically block from [email protected] to [email protected], I have to define sender = [email protected] in the outgoing mail policy and [email protected] in the outgoing mail filter under filter = envelope recipient; action = drop (or vice versa). Otherwise, if I place sender = [email protected] and recipient = [email protected] in the mail policy, any email from [email protected] OR to [email protected] will hit the policy.
  I feel that this is kind of brainless to do such thing and will add operational complexity. Unfortunately, my customer has a very strict security environment. I did say the same thing to him. "Why don't control on the server end?". He replied "what if my servers get compromised?"
  Hope you can understand my explanation Thanks.

• Custom signature

  I have scanned my handwritten signature for use with emails. I have been able to add this to my Outlook emails in the my office on a PC but have not been able to figure out how to create a custom signature for my iphone & ipad.
  Rob

  step 1: send your handwritten signature from your PC to your iphone and ipad.
  step 2: on your iphone and ipad, hold the picture and select copy
  step 3: Go to Settings > Mail, contacts and Calendars > Signature and paste the picture
  Done

• Adding custom signature to Mail

  I know this has GOT to be easy, but I am totally stumped. I have several email accounts, and have signatures setup for each in preferences for each. My problem is that I just cannot figure out how to have my signature use any other font beside the default font. It is driving my nuts. I've even tried creating it how I want in Pages, and copying/dragging it into the signature, and it keeps changing the font to the default helvetica.
  Any ideas?

  In the Signature preferences be sure you have not checked the box to "Match the font ...." Also, be sure you have configured Mail to use Rich Tesxt rather than plain text. This is done in Mail's Composing preferences.
  If you still have problems here are two possible solutions. One is to create your custom signature in an HTML editor. A simple editor that would work is Level4 - VersionTracker or MacUpdate. Then paste the resulting HTML code for your signature into the Signature preferences in Mail. The other would be to create your signature in Pages, for example, and output a PDF file. You can then insert the PDF file as your signature.

• Custom signature for TOR Application

  Hi,
  I want to create custom signature to produce alert whenever any machine lunches TOR application, i have searched and found that there already two signatures cretaed 5816/0 5816/1, i have enabled them and tested it did not fire.
  I have ips in promoscous mode monitoring all vlans, working normally. I dont have ssl interception @ any device, so once TOR is establish then i dont have visibilty over the traffic.
  i need help in creating usch signature, i have took wireshark capture of traffic and all i can see on application layer is proxy connect and proxy port (see attached)
  thanks for your help.                

  Hi nkumarsr,
  I have cretaed tcp string signature for ports 9001, 9090
  and also i have added it in builtin signature 5816/0 and 5816/1
  i have luanch TOR and it is not fired, i took capture on client PC and seached for tcp.port == 9001 and 9090, it is not showing.
  do u have any other ideas ?

• Email Forwarding to .email domain

  I am trying to forward my comcast email to a new [email protected] address.  I have a domain name email address using the relatively new .email domain extension.  But when I input the new .email address is asks for a valid email name.  Is there another way to forward?

  udall60 wrote:
  I am trying to forward my comcast email to a new [email protected] address.  I have a domain name email address using the relatively new .email domain extension.  But when I input the new .email address is asks for a valid email name.  Is there another way to forward?Use an Email Filter criteria that will match every email and then set the action on a hit to forward the email. If you want to keep a local copy set up two actions, one of which will be to "keep in inbox".

• Custom signature in CSM3.0 for IDSM2 with IPS5.1

  I am trying to add a custom signature in CSM3.0 for IDSM2 which is running IPS5.1 in cat6500.I am using custom
  wizard to create the custom signature ( say "sweep" ).Under sigature, IPS5.x, I could see the created custom signature but when the sigature triggers, IPS event viewer shows only the old ( built in - sweep )signature ID and not the customized one.
  Just to test the changes in effect,
  I tried to change the event level say "low" to "high" for one of the built in signature( sweep 2100) by editing the same.Display shows the changed level, but when the sigature triggers the IPS event viewer shows the level as "low" instead of "high".
  Also I tried with enabling the check box for the option " retire".
  How do I create and test the customized signature..I tried with both IDM and CSM3.0.Any suggestions...

  The custom headers and client IP and port headers are inserted in every HTTP request packet. Full session headers and decoded client certificate fields are inserted in the first HTTP request packets; only the session ID is inserted in subsequent HTTP requests that use the same session ID. The servers are expected to cache the session or client certificate headers based on the session ID and use the session ID in subsequent requests to get the session and client certificate headers.

• Signature Feilds not taking info (In custom signature)

  When creating a custom signature
  - there are feilds that will not let you enter info-
  then you may not submit your signature- because feilds are missing.
  1. Is Nickname
  2. Email address
  I was under Business signature
  Thank you

  My "problem" seems to have solved itself. Very strange. What I did at my first attempt was to clone several custom signatures from a single custom rule in the IDSM. First rule worked in MARS but not the the others, only difference was that the later rules were created as subsignatures and imported into MARS as such. When that didn't work I tried to created the IDS rules as separate rules instead of subsignatures and reimport them into MARS, no luck there either.
  I removed my custom signatures from the IDSM and left everything for the weekend. When I returned this Monday and reentered the signatures into the IDSM and tried them out MARS managed to parse them correctly, even put them into the correct event group.
  I've no idea what I've done differently but it's all working fine now
  /Fredrik

• How to "whitelist" email domain

  I recently got a HP 8500A with ePrint capablities. I want to limit the people that can send to the printer by email using the email filtering.
  Is there any way to add an email domain? Is there a wildcard character to use to allow all users in a domain to send to the printer (eg *.business.net or ?.business.net)? I want to avoid having to add all the different email addresses independently and then try to keep it updated as the users on the domain change.

  Hey Amnestic!
  At this time, no. Currently the only way to add people to the authorized user list is per email address. I don't know whether this will change in the future but if it does, the information will more than likely be posted here on these forums. One thing I can tell you is that our spam filter is quite strict so if you'd like to set it to 'Everyone' you shouldn't receive any spam.
  Hope this helps!
  If I have solved your issue, please feel free to provide kudos and make sure you mark this thread as solution provided!
  Although I work for HP, my posts and replies are my own opinion and not those of HP.

• UME - force email domain

  Hi UME gurus,
  Having a request from a customer, when the user have to reset the password from portal, an email is sent to him..  I would like to change the email domain before sending the email if this one correspond to some requierement.  Actually the email domain address has change from "my-company.com" to "company.com". 
  It means we should avoid that users enter the previous domain by forcing it to the new one. 
  Do you know if such configuration is doable in UME ? Is there any kind of solution for this ?
  Thank you
  Hadrien

  Hi Hadrien
  The above answer should be correct, please refer to this link if you are not familar with editing UME properties.
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/0b/50ad3e1d1edc61e10000000a114084/content.htm
  And check the current setting for "ume.notification.mail_host" which should be "xxx.my-company.com" or an IP address.
  Please try to change this to "xxx.company.com", and restart the system check whether it can work as you expect.
  Sometimes as far as I experience, you will have to set the parameter to the IP address, in this case, please help to check with your network admin and the SMTP server's settings.
  Thanks and best regards,
  Thunder

• CUP AD domain and email domain

  Hi,
  I'm installing CUP 8.6 and CUCM 8.6 with AD and Exchange 2010 schedule integration.
  AD domain is domain.local, so user ID is [email protected]
  but email domain is customer.com, so mail address is [email protected]
  When we configure email address domain  in AD same as AD domain
  schedule integration works just fine.
  AD user: [email protected]
  user email in AD: [email protected]
  However, when we change AD email adress to email domain
  it doesn't sync shcedule anymore.
  AD user: [email protected]
  user email in AD: [email protected]
  From my reading and test,
  I noticed CUPS use the AD email ID to fetch the schedule from Exchange;
  it doesn't see the account name, so if I configure like following, userA CUPC shows userB shcedule.
  AD user: [email protected]
  user email in AD: [email protected]
  Now, if I change "BusinessEMail" to "otherMailbox" from Application -> Cisco Unified Personal Communicator -> Settings.
  and configure like following, schedule works fine, and CUPC user email shown properly.
  AD user: [email protected]
  user email in AD: [email protected]
  user otherMailbox in AD: [email protected]
  However, the email in AD will be incorrect address,
  and this field will be refered by other systems, so I don't wan't to change.
  Is there any way to configure CUPS to refer "otherMailbx" for scheduling?
  Or any other workaround?
  Thanks in advance.
  Regards,

  The nearest I can see that you would get to this using .Mac is - [email protected]@mac.com.
  You would be creating an alias in Mac Mail preferences and directing this to your Mac mail. You have the option to color code all messages to this "alias". so that they stand out from your regular mail.
  If you publish to a commercial server you will be able to have the email address that you want.
  If you are running a commercial site you more or less have to do this. .Mac is not reliable enough, nor fast enough for a commercial site and, apparently, we are not allowed to use it for that purpose.
  Having said that, if you do, you will not be alone!
  I don't run any commercial sites from .Mac for the reasons given plus a few more but you only have to look at some of the sites showcased in this forum to see that a lot of people do.

• S492 : Bad Custom Signature ID ... [5577]

  Hi,
  I've implemented signature update S492, but apparently there is a problem with the new signature 5577.1 : SMB Secure NULL Login Attempt . During the upgrade process run from our CSM V3.3.1, the deployment manager returns an error :
  instance=sig0:unspecifiedError:Bad Custom Signature ID ... [5577].  Can not create a custom signature with sig-id < 60000
  When I verifie on the sensors themselves, this new signature is nowhere to be found.
  Best regards.

  Signature# 5577 is a new signature from s492 signature update:
  http://www.cisco.com/web/software/282549755/34252/IPS-sig-S492.readme.txt
  Do you happen to have a custom signature with sig# 5577 by any chance?
  If you don't, then you might want to open a TAC case as it might be a new bug.