NIDS HTTP evasion - Signature 24339

Unanswered Question
Feb 24th, 2010


Last night and this morning after the latest signature release s472 I have been getting hammered with alerts from this signature - nids http evasion - signature 24339.  The description says it fires on the occurence of %3f in the URL.  The description also says there are no known begnin alerts, however I am not sure that is the case.  I have attached the a few random packet captures from the IPS that this signature is firing on.  Anyone else seeing this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
scottyschafer Wed, 02/24/2010 - 07:22

I to am experiencing the same thing, however, most of mine seem to be tripping when the other side is Google which i find odd....I am trying to figure out what the end users are doing to cause the signature to fire but so far have not been able to recreate.

JonPBerbee Wed, 02/24/2010 - 08:27

We have seen this as well for a few of our customers going to various different websites.  All the alerts we've looked at so far have been false positives.  For example several alerts are being generated by users looking for information about different vehicles.

PWCSinfosec Wed, 02/24/2010 - 09:53

Most of what I am seeing is the same thing, various websites, searches but most are doubleclick adds.. Attached is the full packet info of the common alert I am getting.

wsulym Wed, 02/24/2010 - 10:28

Lets see if I can fill in a few gaps here... The signature went thru a couple revisions before the version released in s472. We took care of a couple false positives we saw and the signature had been running clean as of the last modification. So at the time if release, we knew of no other benign triggers, that is now obviously not the case. The signature is meant to trigger on whisker's anti-IDS parameter hiding tactic, which it does, but it also triggers on some URL encoding in the URI. We're going to turn it off in the upcoming release, and benign triggers updated. And its also showing me that we've got a bit of a gap in some traffic representation on our test sensors.

PWCSinfosec Wed, 02/24/2010 - 10:44

Thanks for the response and information.  Would you like my collection of packet captures from the ips for your investigation into the false positives?

wsulym Wed, 02/24/2010 - 10:55

No, I think I'm good... I saw what you had uploaded and the other upload to the thread as well - all very similar to a few of the others I'm seeing elsewhere. Thanks for the offer though.


This Discussion