Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
2
Replies

Strange one: 5191

DSmirnov
Level 1
Level 1

‎04-15-2002 11:00 AM - edited ‎03-08-2019 10:19 PM

Description: The Signature triggers when a filename greater than 300 characters is seen in a URL with .pl extension.

Got the alert on URL like: http://www.example.com/scr.pl&a=1&b=2&c=3&...

Looks like it doesn't check the filename but checks total URL length.

Labels:
0 Helpful
2 Replies 2

mcerha
Level 3
Level 3

‎04-15-2002 02:55 PM

What release of CSIDS are you using? Also, could you provide any traffic samples? If so, please feel free to send them to mcerha@cisco.com.

0 Helpful

anthall
Level 1
Level 1

‎04-15-2002 03:02 PM

You are seeing this false positive because the arguments after scr.pl are not seperated with a hook (?), but instead by an ampersand (&) which is usually only used to separate arguments. Since this is a non-standard webserver I would suggest that you use the RecordOfExcludedAddress and exclude that webserver from alarm 5191.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents