Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
1
Replies

Sig 5474 - Doesn't come close to packet contents

j826430
Level 1
Level 1

‎08-01-2006 01:24 PM - edited ‎03-10-2019 03:08 AM

We had sig 5474 fire on two sensors. After looking at the packet and then the Regex in the sig, this just doesn't make sense to me.

The Regex:

([%]20|[=])[Ss][Ee][Ll][Ee][Cc][Tt]([%]20|[+])[^\r\n\x00-\x19\x7F-\xFF]+([%]20|[+])[Ff][Rr][Oo][Mm]([%]20|[+])

The Packet:

4.0 (compatible;MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.1.4322)..Host: www.trustar-rs.com..Content-Length: 611..Connection: Keep-Alive..Cacheeep-Alive..Cachehe..Cookie: <removedforsecurity>=QXIPUNSdmzweb104CKQOO; RANDOM_ID=f6a8759283514372bfadf7d4677bd5f0....

Any input on this one?

Thanks.

-David

Labels:
0 Helpful
1 Reply 1

wdrootz
Level 4
Level 4

‎08-07-2006 11:30 AM

The link below will give you details about the regular expression used in IPS

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_command_reference_chapter09186a00804a8284.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card