Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


Additional Custom Signature for the SysV /bin/login Overflow

This is a new custom signature entry for the recent SysV /bin/login Buffer Overflow referenced in CERT Advisory CA-2001-34. This signature is provided as a supplement to S13 signatures 3403 and 3501 to better detect any attacks. It will be incorporated into a future signature update. Listed below is a sample screenshot of the output of the SigWizMenu tool. Please refer to the sensor Release Notes for instructions on how to use the SigWizMenu tool to add a custom signature.

Tune Signature Parameters : CSIDS Signature Wizard


Current Signature: Engine STRING.TCP SIGID 20000

SigName: SysV /bin/login Overflow


0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - MaxInspectLength =

7 - MinHits = 1

8 - MinMatchLength =

9 - MultipleHits =

10 * RegexString = ([ \t][^ =\r\n]*[=][^ =\r\n][\x00-x7F]*){5}[\x00-\xff]*[\x80-\xff]

11 - ResetAfterIdle = 15

12 - ServicePorts = 23,513

13 - SigComment =

14 - SigName = SysV /bin/login Overflow

15 - SigStringInfo = /bin/login x1=1 x2=2...

16 - StripTelnetOptions = TRUE

17 - ThrottleInterval =

18 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue


New Member

Re: Additional Custom Signature for the SysV /bin/login Overflow

How should we manage custom signatures over the long term? Are they added to subsequent signature releases? If so, should we then go back and remove the custom ones at some point?

New Member

Re: Additional Custom Signature for the SysV /bin/login Overflow

All custom signatures are included in later releases. Once a signature update is release, all prior custom signatures should be covered in the release. The custom signature releases are used only for signatures that have serious 0-day implications and cannot wait for the usual two week release. Those signatures then make it into the next signature update.