Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NIDS HTTP evasion - Signature 24339

Hello,

Last night and this morning after the latest signature release s472 I have been getting hammered with alerts from this signature - nids http evasion - signature 24339.  The description says it fires on the occurence of %3f in the URL.  The description also says there are no known begnin alerts, however I am not sure that is the case.  I have attached the a few random packet captures from the IPS that this signature is firing on.  Anyone else seeing this?

6 REPLIES
New Member

Re: NIDS HTTP evasion - Signature 24339

I to am experiencing the same thing, however, most of mine seem to be tripping when the other side is Google which i find odd....I am trying to figure out what the end users are doing to cause the signature to fire but so far have not been able to recreate.

New Member

Re: NIDS HTTP evasion - Signature 24339

We have seen this as well for a few of our customers going to various different websites.  All the alerts we've looked at so far have been false positives.  For example several alerts are being generated by users looking for information about different vehicles.

New Member

Re: NIDS HTTP evasion - Signature 24339

Most of what I am seeing is the same thing, various websites, searches but most are doubleclick adds.. Attached is the full packet info of the common alert I am getting.

Cisco Employee

Re: NIDS HTTP evasion - Signature 24339

Lets see if I can fill in a few gaps here... The signature went thru a couple revisions before the version released in s472. We took care of a couple false positives we saw and the signature had been running clean as of the last modification. So at the time if release, we knew of no other benign triggers, that is now obviously not the case. The signature is meant to trigger on whisker's anti-IDS parameter hiding tactic, which it does, but it also triggers on some URL encoding in the URI. We're going to turn it off in the upcoming release, and benign triggers updated. And its also showing me that we've got a bit of a gap in some traffic representation on our test sensors.

New Member

Re: NIDS HTTP evasion - Signature 24339

Thanks for the response and information.  Would you like my collection of packet captures from the ips for your investigation into the false positives?

Cisco Employee

Re: NIDS HTTP evasion - Signature 24339

No, I think I'm good... I saw what you had uploaded and the other upload to the thread as well - all very similar to a few of the others I'm seeing elsewhere. Thanks for the offer though.

547
Views
0
Helpful
6
Replies
CreatePlease to create content