Im sure everyone has figured out what to do with this signature. It fires a lot due to the code (ad revolver) used on some high traffic websites like lanebryant.
Intelli Shield recommends we filter out webservers hosting non-ASCII web pages.
How am I supposed to know what webservers are hosting non-ASCII web pages? How can you filter this? I hate to disable this sig because it represents a high risk exploit, but so many false positives.. what have you done with 5477 - 2 ?
Description of 5477 / 2:
This signature fires on detecting unicode-encoded escape sequences in HTML pages. This is a common way to load values into memory and is frequently used in buffer overflow exploits. While the use of unescape() does not indicate anything malicious has occurred, further investigation may be warranted. This signature is also a component of META signature 5556-4.
Filter webservers hosting non-ASCII web pages.
Benign triggers have been identified with HTML pages represented in non-ASCII characters.
I tried replying earlier, not sure if it's going to make it;-) That signature is part of a META signature 5556-4, so removing the action prevents it from firing on its own (we disabled a long time ago due to high false positive rate). If you disable/retire it, you'll have to deal with 5556-4 as well.