Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

FPs Sig 5432 Script in HTTP header

This signature appears to be looking for script markers in the header, but is firing on just the presence of 'script' which is not a problem. Example:

000000 47 45 54 20 2F 42 75 72 73 74 69 6E 67 53 63 72 GET /BurstingScr

000010 69 70 74 2F 61 64 64 69 6E 65 79 65 2E 6A 73 20 ipt/addineye.js

000020 48 54 54 50 2F 31 2E 31 0D HTTP/1.1.

6 REPLIES
Cisco Employee

Re: FPs Sig 5432 Script in HTTP header

It actually fires on in the header. There's probably more to the alert context tat what you have pasted there. If you enable "Produce Verbose Alert" as an action for that sig, you will see the trigger packet in the alert, and that should contain the "script ... /script"

New Member

Re: FPs Sig 5432 Script in HTTP header

OK, changed and re-baited the hook. Awaiting the next fish...

New Member

Re: FPs Sig 5432 Script in HTTP header

Got one: the script is in the Referer: tag (sort of).

Cisco Employee

Re: FPs Sig 5432 Script in HTTP header

Well, doesn't look malicious at all. Not that I was having all sorts of luck finding out much about it, but from what I could find, looks like a click thru banner ad. Just looks like its feeding some benign information into the javascript banner generator.

I will update the benign triggers section of the signasture accordingly.

New Member

Re: FPs Sig 5432 Script in HTTP header

Isn't the signature designed to basically just look at the URI content? Can you adjust the regexp to locate script tags before the terminator?

Cisco Employee

Re: FPs Sig 5432 Script in HTTP header

No, 5432-0 is looking for script tags anywhere in the entire header. You may be thinking of the other XSS sigs. 5232-x sigs look for script in the uri and arguments only.

677
Views
0
Helpful
6
Replies
CreatePlease to create content