04-15-2002 11:00 AM - edited 03-08-2019 10:19 PM
Description: The Signature triggers when a filename greater than 300 characters is seen in a URL with .pl extension.
Got the alert on URL like: http://www.example.com/scr.pl&a=1&b=2&c=3&...
Looks like it doesn't check the filename but checks total URL length.
04-15-2002 02:55 PM
What release of CSIDS are you using? Also, could you provide any traffic samples? If so, please feel free to send them to mcerha@cisco.com.
04-15-2002 03:02 PM
You are seeing this false positive because the arguments after scr.pl are not seperated with a hook (?), but instead by an ampersand (&) which is usually only used to separate arguments. Since this is a non-standard webserver I would suggest that you use the RecordOfExcludedAddress and exclude that webserver from alarm 5191.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: