cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1179
Views
0
Helpful
6
Replies

NIDS HTTP evasion - Signature 24339

PWCSinfosec
Level 1
Level 1

Hello,

Last night and this morning after the latest signature release s472 I have been getting hammered with alerts from this signature - nids http evasion - signature 24339.  The description says it fires on the occurence of %3f in the URL.  The description also says there are no known begnin alerts, however I am not sure that is the case.  I have attached the a few random packet captures from the IPS that this signature is firing on.  Anyone else seeing this?

6 Replies 6

scottyschafer
Level 1
Level 1

I to am experiencing the same thing, however, most of mine seem to be tripping when the other side is Google which i find odd....I am trying to figure out what the end users are doing to cause the signature to fire but so far have not been able to recreate.

We have seen this as well for a few of our customers going to various different websites.  All the alerts we've looked at so far have been false positives.  For example several alerts are being generated by users looking for information about different vehicles.

Most of what I am seeing is the same thing, various websites, searches but most are doubleclick adds.. Attached is the full packet info of the common alert I am getting.

wsulym
Cisco Employee
Cisco Employee

Lets see if I can fill in a few gaps here... The signature went thru a couple revisions before the version released in s472. We took care of a couple false positives we saw and the signature had been running clean as of the last modification. So at the time if release, we knew of no other benign triggers, that is now obviously not the case. The signature is meant to trigger on whisker's anti-IDS parameter hiding tactic, which it does, but it also triggers on some URL encoding in the URI. We're going to turn it off in the upcoming release, and benign triggers updated. And its also showing me that we've got a bit of a gap in some traffic representation on our test sensors.

Thanks for the response and information.  Would you like my collection of packet captures from the ips for your investigation into the false positives?

No, I think I'm good... I saw what you had uploaded and the other upload to the thread as well - all very similar to a few of the others I'm seeing elsewhere. Thanks for the offer though.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: