Sig 3161 (MKD overflow) triggered for one of my customers when he was replacing some cgi scripts. From NSDB:
This signature triggers when an attempt is detected to create or delete a directory during a FTP session using a path argument containing executable machine code, also know as shellcode. Subsig 0 watches for use of FTP 'MKD' command with shellcode in the path argument. Subsig 1 watches for use of the FTP 'DELE' command with shellcode in the path argument.
Is it possible that it is interpreting certain cgi filenames as shellcode simply because they are named similar to shellcode?
It could be possible, but I'd think it would be rather unusual. We would need to see a traffic sample to definitively answer the question. You can send any traffic samples to firstname.lastname@example.org, and I'll take a look at them for you.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...