Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

False positive on sig 3161

Sig 3161 (MKD overflow) triggered for one of my customers when he was replacing some cgi scripts. From NSDB:

This signature triggers when an attempt is detected to create or delete a directory during a FTP session using a path argument containing executable machine code, also know as shellcode. Subsig 0 watches for use of FTP 'MKD' command with shellcode in the path argument. Subsig 1 watches for use of the FTP 'DELE' command with shellcode in the path argument.

Is it possible that it is interpreting certain cgi filenames as shellcode simply because they are named similar to shellcode?

1 REPLY
Bronze

Re: False positive on sig 3161

It could be possible, but I'd think it would be rather unusual. We would need to see a traffic sample to definitively answer the question. You can send any traffic samples to mcerha@cisco.com, and I'll take a look at them for you.

104
Views
0
Helpful
1
Replies
CreatePlease to create content