×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

5610-0 false positives

Unanswered Question
Jan 25th, 2006
User Badges:
  • Blue, 1500 points or more

I don't understand why this is firing. It looks like it should only fire if there is a non-numeric value for the query parameter graph_start...which there isn't. Here are the details.


Arg Name Regex: [Gg][Rr][Aa][Pp][Hh][_][Ss][Tt][Aa][Rr][Tt][=]

Arg Value Regex: [^0-9]+


And here is the context:

fromAttacker:

000000 47 45 54 20 2F 63 61 63 74 69 2F 67 72 61 70 68 GET /cacti/graph

000010 5F 69 6D 61 67 65 2E 70 68 70 3F 6C 6F 63 61 6C _image.php?local

000020 5F 67 72 61 70 68 5F 69 64 3D 31 36 31 26 72 72 _graph_id=161&rr

000030 61 5F 69 64 3D 30 26 67 72 61 70 68 5F 68 65 69 a_id=0&graph_hei

000040 67 68 74 3D 31 30 30 26 67 72 61 70 68 5F 77 69 ght=100&graph_wi

000050 64 74 68 3D 33 30 30 26 67 72 61 70 68 5F 6E 6F dth=300&graph_no

000060 6C 65 67 65 6E 64 3D 74 72 75 65 26 76 69 65 77 legend=true&view

000070 5F 74 79 70 65 3D 74 72 65 65 26 67 72 61 70 68 _type=tree&graph

000080 5F 73 74 61 72 74 3D 31 31 33 38 31 33 31 39 39 _start=113813199

000090 36 26 67 72 61 70 68 5F 65 6E 64 3D 31 31 33 38 6&graph_end=1138

0000A0 32 31 38 33 39 36 20 48 54 54 50 2F 31 2E 31 0D 218396 HTTP/1.1.


riskRatingValue: 65

interface: ge0_0

protocol: tcp


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
wsulym Wed, 01/25/2006 - 17:29
User Badges:
  • Cisco Employee,

Thankyou for bringing this to our attention, it is indeed a false positive. This has been assigned bug id CSCsd16754 and will be addressed in the S215 release.

Actions

This Discussion