Solved: 5477 / 2 - Possible Heap... How did you handle it?

kutukutu9 · ‎09-03-2008

Im sure everyone has figured out what to do with this signature. It fires a lot due to the code (ad revolver) used on some high traffic websites like lanebryant.

Intelli Shield recommends we filter out webservers hosting non-ASCII web pages.

How am I supposed to know what webservers are hosting non-ASCII web pages? How can you filter this? I hate to disable this sig because it represents a high risk exploit, but so many false positives.. what have you done with 5477 - 2 ?

Description of 5477 / 2:

This signature fires on detecting unicode-encoded escape sequences in HTML pages. This is a common way to load values into memory and is frequently used in buffer overflow exploits. While the use of unescape() does not indicate anything malicious has occurred, further investigation may be warranted. This signature is also a component of META signature 5556-4.

Recommended Filters

Filter webservers hosting non-ASCII web pages.

Benign Triggers

Benign triggers have been identified with HTML pages represented in non-ASCII characters.

Many thanks

mhellman · ‎09-15-2008

I tried replying earlier, not sure if it's going to make it;-) That signature is part of a META signature 5556-4, so removing the action prevents it from firing on its own (we disabled a long time ago due to high false positive rate). If you disable/retire it, you'll have to deal with 5556-4 as well.

View solution in original post

sadbulali · ‎09-09-2008

To enable Cisco IOS URL filtering, use the urlfilter command in policy-map-class configuration mode. To disable URL filtering, use the no form of this command.

urlfilter parameter-map-name

no urlfilter parameter-map-name

Farrukh Haroon · ‎09-13-2008

In Sig release 354 Cisco has removed the 'Produce Alert' from this signature:

S354 Release Notes:

5.x, 6.x5477.2 Possible Heap Payload Construction STRING-TCP High True

5477.2 "produce-alert" event-action was removed.

Just upgrade to reduce the noise.

Regards

Farrukh

kutukutu9 · ‎09-15-2008

That makes me wonder what good is it to leave a signature enabled but not producing alerts or any other event for that matter? Wasting CPU yes?

mhellman · ‎09-15-2008

I tried replying earlier, not sure if it's going to make it;-) That signature is part of a META signature 5556-4, so removing the action prevents it from firing on its own (we disabled a long time ago due to high false positive rate). If you disable/retire it, you'll have to deal with 5556-4 as well.

craiwill · ‎09-15-2008

The signature is still used as a meta component in several signatures.

mhellman · ‎09-15-2008

You mean more than just the one indicated? I don't see how that's possible because intellishield.cisco.com only mentions the one (I laugh in Cisco's general direction). I'm not aware of any way to list which META signatures a component sig is part of, so perhaps you could list the relevant META sigs here?

craiwill · ‎09-16-2008

I'll update the documentation shortly.

This signature is also a component of the following META signatures: 5556-4, 6279-0, 6297-0, 6298-0, 6403-0, 6408-0, 6409-0, 6410-0, 6524-0, 6534-0, 6535-0, 6536-0, 6544-0, 6794-0, 6795-0, 6930-0, 6940-0, 6942-0, 6988-0, 6990-0, 7206-0, 7209-0, 7229-0 and 7237-0.