Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

False positive on Sig 5316.0?

Can someone explain why this signature is firing for me?

This signature is supposed to fire when the string "/ext.dll.*a0=add" is seen.

I am seeing an Attacker context of "http://<server name>/<Sub Dir>/maext.dll"

To me it doesn't seem like this should be firing on this syntax because the ext.dll is not preceeded by a "/" it is preceeded by the "ma"

Can anyone help explain this to me?

3 REPLIES
Silver

Re: False positive on Sig 5316.0?

The signature seems to be firing once it sees all the characters in the signature, irrespective of the exact string. That is, as soon as the signature captures all the characters in the signature, it fires. I too feel that this should not be happening this way. Any other thoughts?

Cisco Employee

Re: False positive on Sig 5316.0?

Thanks for bringing this to our attention, there appears to be an error in the regex leading to false positives. I'll look into it.

Cisco Employee

Re: False positive on Sig 5316.0?

This is identified by bugID CSCse34194. SIgnature update s230 will contain the modified signature.

Thanks again for bringing this up.

116
Views
0
Helpful
3
Replies
CreatePlease login to create content