The signature Apache Host Header Cross Site Scripting was released in the S37 update. In the readme and when implemented the default level is 5. If you read the definition in the NSDB it says:
This signature triggers when an HTTP Host: header is received containing a percent or less-than character. NOTE: Due to implementation restrictions, this signature will impact performance of the sensor and is disabled by default.
And it also suggests a level of 4. I have several questions. First, what is the reccommended default level? 5? 4? 0? Second, what implementation restrictions make this signautre effect performance? If it does effect performance why would I want it enabled and why is it enabled by default in the first place? Third, what does this signature actually look for? It says a % or < in the host header but I am seeing this false positive greatly on long requests.
This signature should be off by default. The performance impact of this signature is because it uses a .* operator in the regex, which is looking for a %
or < character in to Host: field of a HTTP request. These characters shouldn't be in a hostname and may indicate a cross-site scripting attack if present. I'm not sure how this is causing false positives, but if you can capture any traffic traces or iplogs I would be happy to look at them. You can email them to me at firstname.lastname@example.org. In regards to performance, this signature would only really affect your sensors if they are overburdoned. The warning is just a reminder that this is an "expensive" signature. I guess this could be more clear in the NSDB. I'll fix this for signature update S41.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :