Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Gold

Signature 3529-0 false positives

This signature triggers on a normal EXAMINE INBOX command. Won't the following regex fire on any imap EXAMINE command and not just "examine..256+"? Can this be combined with the "min match length" to fix?

[0-9][\x20][Ee][Xx][Aa][Mm][Ii][Nn][Ee][\x20][^\x0a\x0d]+[\x0a\x0d]

1 REPLY
Cisco Employee

Re: Signature 3529-0 false positives

Thank you for bringing this to our attention. Yes, the Min Match Length parameter should be used. We will release a modified signature in an upcoming release.

136
Views
0
Helpful
1
Replies
CreatePlease to create content