Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

5477 / 2 - Possible Heap... How did you handle it?

Im sure everyone has figured out what to do with this signature. It fires a lot due to the code (ad revolver) used on some high traffic websites like lanebryant.

Intelli Shield recommends we filter out webservers hosting non-ASCII web pages.

How am I supposed to know what webservers are hosting non-ASCII web pages? How can you filter this? I hate to disable this sig because it represents a high risk exploit, but so many false positives.. what have you done with 5477 - 2 ?

Description of 5477 / 2:

This signature fires on detecting unicode-encoded escape sequences in HTML pages. This is a common way to load values into memory and is frequently used in buffer overflow exploits. While the use of unescape() does not indicate anything malicious has occurred, further investigation may be warranted. This signature is also a component of META signature 5556-4.

Recommended Filters

Filter webservers hosting non-ASCII web pages.

Benign Triggers

Benign triggers have been identified with HTML pages represented in non-ASCII characters.

Many thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: 5477 / 2 - Possible Heap... How did you handle it?

I tried replying earlier, not sure if it's going to make it;-) That signature is part of a META signature 5556-4, so removing the action prevents it from firing on its own (we disabled a long time ago due to high false positive rate). If you disable/retire it, you'll have to deal with 5556-4 as well.

7 REPLIES
New Member

Re: 5477 / 2 - Possible Heap... How did you handle it?

To enable Cisco IOS URL filtering, use the urlfilter command in policy-map-class configuration mode. To disable URL filtering, use the no form of this command.

urlfilter parameter-map-name

no urlfilter parameter-map-name

Re: 5477 / 2 - Possible Heap... How did you handle it?

In Sig release 354 Cisco has removed the 'Produce Alert' from this signature:

S354 Release Notes:

5.x, 6.x5477.2 Possible Heap Payload Construction STRING-TCP High True

5477.2 "produce-alert" event-action was removed.

Just upgrade to reduce the noise.

Regards

Farrukh

New Member

Re: 5477 / 2 - Possible Heap... How did you handle it?

That makes me wonder what good is it to leave a signature enabled but not producing alerts or any other event for that matter? Wasting CPU yes?

Gold

Re: 5477 / 2 - Possible Heap... How did you handle it?

I tried replying earlier, not sure if it's going to make it;-) That signature is part of a META signature 5556-4, so removing the action prevents it from firing on its own (we disabled a long time ago due to high false positive rate). If you disable/retire it, you'll have to deal with 5556-4 as well.

Cisco Employee

Re: 5477 / 2 - Possible Heap... How did you handle it?

The signature is still used as a meta component in several signatures.

Gold

Re: 5477 / 2 - Possible Heap... How did you handle it?

You mean more than just the one indicated? I don't see how that's possible because intellishield.cisco.com only mentions the one (I laugh in Cisco's general direction). I'm not aware of any way to list which META signatures a component sig is part of, so perhaps you could list the relevant META sigs here?

Cisco Employee

Re: 5477 / 2 - Possible Heap... How did you handle it?

I'll update the documentation shortly.

This signature is also a component of the following META signatures: 5556-4, 6279-0, 6297-0, 6298-0, 6403-0, 6408-0, 6409-0, 6410-0, 6524-0, 6534-0, 6535-0, 6536-0, 6544-0, 6794-0, 6795-0, 6930-0, 6940-0, 6942-0, 6988-0, 6990-0, 7206-0, 7209-0, 7229-0 and 7237-0.

177
Views
9
Helpful
7
Replies
CreatePlease to create content