Last night and this morning after the latest signature release s472 I have been getting hammered with alerts from this signature - nids http evasion - signature 24339. The description says it fires on the occurence of %3f in the URL. The description also says there are no known begnin alerts, however I am not sure that is the case. I have attached the a few random packet captures from the IPS that this signature is firing on. Anyone else seeing this?
I to am experiencing the same thing, however, most of mine seem to be tripping when the other side is Google which i find odd....I am trying to figure out what the end users are doing to cause the signature to fire but so far have not been able to recreate.
We have seen this as well for a few of our customers going to various different websites. All the alerts we've looked at so far have been false positives. For example several alerts are being generated by users looking for information about different vehicles.
Lets see if I can fill in a few gaps here... The signature went thru a couple revisions before the version released in s472. We took care of a couple false positives we saw and the signature had been running clean as of the last modification. So at the time if release, we knew of no other benign triggers, that is now obviously not the case. The signature is meant to trigger on whisker's anti-IDS parameter hiding tactic, which it does, but it also triggers on some URL encoding in the URI. We're going to turn it off in the upcoming release, and benign triggers updated. And its also showing me that we've got a bit of a gap in some traffic representation on our test sensors.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :