WLC IPS custom signature file

Hi,
Where can I download the WLC IPS custom signature file? Is WLC support openLdap for user web or 802.1x authentication?
Best Regards,
Jackson Ku

The documentation for 5.1 is located at:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a008055de07.html
I believe the regex you want is:
[Mm][Aa][Ii][Ll][\t][Ff][Rr][Oo][Mm][:][\x21-\x7E]+[@][Ss][Ee][Xx].[Cc][Oo][Mm]
The + field allows for any printable characters (but there must be at least 1) in the senders email address. You should use the SMTP state machine with the SMTP Commands state set, direction to service port 25.

Similar Messages

  • IPS custom signature to filter email domain

    Using IPS 5.0.
    I'm creating custom signature on SMTP using State Name: SMTP Commands.
    My question:
    1. On the Regex String, what should i key in to disable any users from the sex.com domain to send me email. I have keyin
    [Mm][Aa][Ii][Li][\t][Ff][Rr][Oo][Mm]:^.@[Ss][Ee][Xx].[Cc][Oo][Mm]
    but i don't think this is corrent...am i ??
    2. In the State Name(SMTP), they have
    Abort, Mail Body, Mail Header, SMTP Commands and Start. Can anyone provide the information (URL) and example of how to use these....
    Thanks in advance...

    The documentation for 5.1 is located at:
    http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a008055de07.html
    I believe the regex you want is:
    [Mm][Aa][Ii][Ll][\t][Ff][Rr][Oo][Mm][:][\x21-\x7E]+[@][Ss][Ee][Xx].[Cc][Oo][Mm]
    The + field allows for any printable characters (but there must be at least 1) in the senders email address. You should use the SMTP state machine with the SMTP Commands state set, direction to service port 25.

  • Disassoc flood - false alarms - IDS signature file needs adjustment

    Another interesting observation regarding Disassociation flood wireless IDS alarms:
    When a wireless client goes out of range of an AP, is that it is not uncommon for a burst of 64 disassociation frames to be sent in order to ensure that the client/AP are no longer associated.
    However, the threshold in the WLC's IDS signature file is 50. It is unclear why this value was chosen by the developers. However, at Cisco's recommendation, we have adjusted the signature file to a value of FREQ=80 (instead of 50) for the following alarms:
    Disassociation, Deauth Flood, and Bcast Deauth
    This has resulted in fewer false alarms (except for Bcast deaut which is the result of the WLC alarming on its own containment messages - see previous thread!).
    Additional Note: When making changes to the IDS signature file, it would appear that a REBOOT ended up being necessary in our case in order to get the WLCs to recognize the changes to the IDS signature file. When we merely upgraded the signature file, it did not make a difference.
    Also, it would appear that the name of the signature file is important (since the parsing of the file does not take place unless a specific file name is given).
    - John

    Hi,
    I'm getting a lot of false positive rogue APs (I've checked the MAC addresses and they are definitely ours), is it possible that a similar problem with signatures is causing this?
    Scott

  • Using IPS 6.3 customized signatures in CS MARS

    A client has a Cisco IPS 6.3 module installed in a Catalyst 6500, *with fully customized signatures* which generate thousands of alerts clearly visible in its IPS Event Viewer.
    MARS is pulling info from that IPS, but the customized signatures do not appear in any Incident. Is it possible for MARS to pull all those customized signatures??
    Thanks in advance

    The first step is to get MARS to parse the event. The next step is to create the necessary inspection rules.
    You can start here:
    http://ciscomars.blogspot.com/2008/03/custom-ips-signatures-with-cisco-mars.html

  • Cisco IPS SSM 10 Sensor can't update signature file from ASA 5510

    Cisco ASA 5510 IPS Firewall with ASA-SSM-10 Module.  I am trying to do a manual update of the signature file and get the following error:
    Error: execUpgradeSoftware : couldn't connect to host
    I have confirmed that I can ping the ftp server successfully from the ASA and the command I am trying to use from the configure terminal of the module is:
    upgrade ftp://[email protected]//IPS-sig-S813-req-E4.pkg
    I have also tried via http and it does not work as well.  Any thoughts?

    to connect to ftp there should be username usually anonymous and password whitch can be any. check in ftp server
    aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
    User: anonymous
    Password: *********
    the username and/or the password are incorrect
    aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
    User: 123
    Password: ***
    File opening error
    I made special user 123 on ftp server with password 123
    aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
    User: 123
    Password: ***
    aip_ssm_card# 
    and dont forget to rate post

  • IPS signature file for 2620xm router

    Would I still need to pay to get the lastet IPS Signature file for the 2620xm router and what version number is it?
    Dave

    Would I still need to pay to get the lastet IPS Signature file for the 2620xm router and what version number is it?
    Dave

  • IOS IPS Automatic Signature Update

    I will use cisco1941w.
    I'd like to know, how to configure at CLI and where is the URL.
    Is the bellow correct?
    CLI
    Router(config)# ip ips auto-update
    Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5
    Router(config-ips-auto-update)# url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
    Router(config-ips-auto-update)# username XXX password XXX
    URL
    https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

    Hello,
    A. Hete is what the six files do:
    • ios-ips-sigdef-default.xml: contains all the factory default signature definitions
    • ios-ips-sigdef-delta.xml: contains signature definitions that have been changed from the default
    • ios-ips-sigdef-typedef.xml: is a file that has all the signature parameter definitions
    • ios-ips-sigdef-category.xml: has all the signature category information, such as category ios_ips basic and advanced
    • ios-ips-seap-delta.xml: contains changes made to the default SEAP parameters
    • ios-ips-seap-typedef.xml: contains all the SEAP parameter definitions
    B. So the signature file (.pkg) is decompressed into these files and then 'idconf' loads them in memory.
    Hence to copy signature database of one router to the other, we need to copy atleast first 4 files.
    You only need to distribute the SEAP configuration if you modified any of the Signature Event Action Override configuration:
    We do not have one single file that contains all the signatures.  The signature package is installed in a certain way.
    Hence we will need atleast first 4 files to copy of signature database from one router to the other.
    C. Secondly, I dont know if auto-update will accept a file in .xmz package, I have not tested this.
    But I am guessing it will look for a .pkg file and decompress it.
    With copying a .xmz file, you may have to manually load it into memory using 'idconf' command.
    D. Hence there is no one single configuration file that you copy off the external ftp server.
    I guess, the only thing you can do is to have different routers update signatures at different times to reduce load on the network.
    It is also not necessary to check for signature updates every hour.
    Normal rate of adding new signature releases is every few days, so even if you check around once a day that should be ok.
    Sid Chandrachud
    TAC Security Solutions
    Customer support engineer

  • Cisco IPS 4240 stops file downloads at 90%

    Hi everybody. I have a Cisco IPS 4240 with version 7.0.4 installed and upgraded to the last signature. But since it was installed i have the issue with some file downloads because the IPS stops the file at 90-99% of download percentage (in some cases, not all), The ips is inline in front of firewall, some partner say me that i have to change the mode to promiscuous for the solution of the issue, but i think that if the IPS was designed for work inline, i dont have to change anything and maybe some expert of the forum have the correct answer.  Or this issue have solution with configuration changes.
    Sorry by my write english.... I try to find some signature that causes the issue but if i disabled the sensor, the issue occurs. The firewall is not the problem because if i connect a laptop in front of the firewall and behind of IPS the issue occurs too. Well i have now some months trying of find a solution. In the page of Cisco not find some similar.... [:-(
    Pd. An example of files that stop when downloads is Apple Itunes... or Microsoft Patch, or Vmware software by example.
    Thanks for your response are greatly appreciated.

    Thnaks for your help this is the last packets before freeze the download:
    The size of the download with problems is random, sometimes ocurrs with small size downloads sometimes ocurrs with large downloads. The download of the example have 47 MB, I think that the traffic is dropped and the tcp conn timeout. Do you see some anomalies in this traffic portion?.
    14:55:20.536119 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536122 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536420 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536718 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536820 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537123 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537125 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537517 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537520 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537522 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537821 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537823 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538116 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538118 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538415 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538418 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544207 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544307 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638362 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638365 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638463 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638862 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638866 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639164 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639166 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639560 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639564 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640263 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640568 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641958 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.642158 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742304 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742603 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742605 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742607 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742903 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743202 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743302 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743601 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745000 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745100 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845347 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845548 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845550 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845647 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845845 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846247 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846544 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.849040 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48010926 win 65335
    14:55:20.849439 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48012386 win 65335
    14:55:20.948787 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48015306 win 65335
    14:55:20.948789 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48018226 win 65335
    14:55:20.952982 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48021146 win 65335
    14:55:20.953679 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48024066 win 65335
    14:55:21.055723 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48029906 win 65335
    14:55:21.055725 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48032826 win 65335
    14:55:21.055930 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48035746 win 65178
    14:55:21.058919 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48037206 win 65335
    14:55:21.068809 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48040126 win 65335
    14:55:21.068812 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48043046 win 65335
    14:55:21.069006 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48045966 win 65335
    14:55:21.070103 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48048886 win 65335
    14:55:21.158967 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48051806 win 65335
    14:55:21.159265 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48054726 win 65335
    14:55:21.159465 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48057646 win 65335
    14:55:21.159864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48060566 win 65335
    14:55:21.159867 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48063486 win 64605
    14:55:21.162162 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 63875
    14:55:21.162260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 65335
    14:55:21.172245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48069326 win 65335
    14:55:21.172248 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48072246 win 65335
    14:55:21.172545 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48075166 win 65335
    14:55:21.172645 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 64605
    14:55:21.172744 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 65335
    14:55:21.172844 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48081006 win 65335
    14:55:21.173144 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 64605
    14:55:21.185225 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 65335
    14:55:21.572333 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48116046 win 65335
    14:55:21.585313 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585315 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585414 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585417 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585512 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.677172 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688654 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688657 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.688757 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.780613 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.883755 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.986998 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:22.090639 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335

  • Adding custom signature to Mail

    I know this has GOT to be easy, but I am totally stumped. I have several email accounts, and have signatures setup for each in preferences for each. My problem is that I just cannot figure out how to have my signature use any other font beside the default font. It is driving my nuts. I've even tried creating it how I want in Pages, and copying/dragging it into the signature, and it keeps changing the font to the default helvetica.
    Any ideas?

    In the Signature preferences be sure you have not checked the box to "Match the font ...." Also, be sure you have configured Mail to use Rich Tesxt rather than plain text. This is done in Mail's Composing preferences.
    If you still have problems here are two possible solutions. One is to create your custom signature in an HTML editor. A simple editor that would work is Level4 - VersionTracker or MacUpdate. Then paste the resulting HTML code for your signature into the Signature preferences in Mail. The other would be to create your signature in Pages, for example, and output a PDF file. You can then insert the PDF file as your signature.

  • Custom signature for TOR Application

    Hi,
    I want to create custom signature to produce alert whenever any machine lunches TOR application, i have searched and found that there already two signatures cretaed 5816/0 5816/1, i have enabled them and tested it did not fire.
    I have ips in promoscous mode monitoring all vlans, working normally. I dont have ssl interception @ any device, so once TOR is establish then i dont have visibilty over the traffic.
    i need help in creating usch signature, i have took wireshark capture of traffic and all i can see on application layer is proxy connect and proxy port (see attached)
    thanks for your help.                

    Hi nkumarsr,
    I have cretaed tcp string signature for ports 9001, 9090
    and also i have added it in builtin signature 5816/0 and 5816/1
    i have luanch TOR and it is not fired, i took capture on client PC and seached for tcp.port == 9001 and 9090, it is not showing.
    do u have any other ideas ?

  • Custom signature in CSM3.0 for IDSM2 with IPS5.1

    I am trying to add a custom signature in CSM3.0 for IDSM2 which is running IPS5.1 in cat6500.I am using custom
    wizard to create the custom signature ( say "sweep" ).Under sigature, IPS5.x, I could see the created custom signature but when the sigature triggers, IPS event viewer shows only the old ( built in - sweep )signature ID and not the customized one.
    Just to test the changes in effect,
    I tried to change the event level say "low" to "high" for one of the built in signature( sweep 2100) by editing the same.Display shows the changed level, but when the sigature triggers the IPS event viewer shows the level as "low" instead of "high".
    Also I tried with enabling the check box for the option " retire".
    How do I create and test the customized signature..I tried with both IDM and CSM3.0.Any suggestions...

    The custom headers and client IP and port headers are inserted in every HTTP request packet. Full session headers and decoded client certificate fields are inserted in the first HTTP request packets; only the session ID is inserted in subsequent HTTP requests that use the same session ID. The servers are expected to cache the session or client certificate headers based on the session ID and use the session ID in subsequent requests to get the session and client certificate headers.

  • S492 : Bad Custom Signature ID ... [5577]

    Hi,
    I've implemented signature update S492, but apparently there is a problem with the new signature 5577.1 : SMB Secure NULL Login Attempt . During the upgrade process run from our CSM V3.3.1, the deployment manager returns an error :
    instance=sig0:unspecifiedError:Bad Custom Signature ID ... [5577].  Can not create a custom signature with sig-id < 60000
    When I verifie on the sensors themselves, this new signature is nowhere to be found.
    Best regards.

    Signature# 5577 is a new signature from s492 signature update:
    http://www.cisco.com/web/software/282549755/34252/IPS-sig-S492.readme.txt
    Do you happen to have a custom signature with sig# 5577 by any chance?
    If you don't, then you might want to open a TAC case as it might be a new bug.

  • Custom Signature Regex

    Does the Regex engine used by the IPS support lookahead syntax? I'm working on creating a custom signature using the TCP String engine that I want to fire if it both finds a given string, and does not find a second string. A negative lookahead seemed like the logical way to do this but when I try to use one I get a regex error from the sensor.

    ** update. sorry, just realized that this is not what you asked. I don't see anything in the docs anyway that refers to lookahead assertions **
    yes, well according to the docs anyway. I've never tested though. In my experience, Cisco sometimes just inserts verbatim snippets of text from other documentation into their guides. The MARS docs say [or used to anyway] that they support them as well and they don't. Please let us know if they work for you.
    http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_command_reference_chapter09186a0080592dcb.html#wp480571
    "The following regular expression uses parentheses for recall:
    • a(.)bc(.)\1\2 matches an a followed by any character, followed by bc followed by any character, followed by the first any character again, followed by the second any character again. For example, the regular expression can match aZbcTZT. The software remembers that the first character is Z and the second character is T and then uses Z and T again later in the regular expression."

  • CSM / ASA IPS -- upstream signature package includes hundreds of retired signatures

    CSM / ASA IPS -- upstream signature package includes hundreds of retired signatures
    When I push new signatures that CSM downloads and applies for me, I get hundreds of retired signatures.  I have tried to wipe signature policy and create fresh and anew - it seems as if CSM isn't marking 'new' signatures for application to existing signature configuration files.  The deltas betwen previous versions do not get applied.
    Is this a common occurance for other people running CSM?

    Hi JP,
    The signatures need to be enabled and unretired for them to function.
    The following FAQ described this process in detail:
    http://www.cisco.com/web/about/security/intelligence/ips_sig_faq.html#2
    Hope this is helpful.
    Regards
    Neil Archibald
    IPS Signature Development Team

  • Jabber for windows 9.2.1 - InitialPhoneSelection doesn't work if configuration is in custom config file

    Hi,
    my customer wanted set InitialPhoneSelection to deskphone mode, when users firs run Jabber for Windows (ver. 9.2.1).
    I created custom config (configurationfile=jabber-config-deskphone.xml) but it doesn't work.
    Policies>
         <InitialPhoneSelection>deskphone</InitialPhoneSelection>
    </Policies>
    I tested it couple times and at the end I tried put configuration to default jabber-config.xml and ... this functionality start working...
    Could you check guys if you have same problem with custom config file? I think that it is bug. Maybe other option don't work in custom config file.
    Thanks a lot
    Pavel

    Hi Pavel,
    This setting is only when the client is installed and started by the user for the first time. After that the client will save the user preference (what was the phone selection when the user exited the client)  and use it in subsequent logins.
    Having said that, can you please specify in details how exactly you did your tests or maybe test again taking the above into consideration ?
    Thanks,
    Christos

Maybe you are looking for