Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ID: 5124

My client is running signature set S74 on a VMS 2.2 with idsmon 1.2.3 and version 3.1(5) sensors.

The IEV receives an event for “IIS CGI Double Decode ID: 5124 Sub ID: 1”. Upon checking the content buffer for the event, the following string is observed. (http://x/x/x/x%252Fxxx.jsp)

My question is as follows:

The buffer contains a %252F and this has triggered the event

Does the sub-signature look for %2F as an exact match?

or

Can there be spaces and characters in the middle of the 2 and the F (as are found in the buffer[52]) and still trigger the event.

Has the signature triggered correctly?

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: ID: 5124

The signature is looking for a literal "[%][2][5][2][Ff]" pattern in the URI. Per the regex, no spaces or other characters can be the sequence. From the observed string, the signature appears to have fired properly. While we do not know of any benign triggers, it may be possible for this to be legitimate traffic.

1 REPLY
Bronze

Re: ID: 5124

The signature is looking for a literal "[%][2][5][2][Ff]" pattern in the URI. Per the regex, no spaces or other characters can be the sequence. From the observed string, the signature appears to have fired properly. While we do not know of any benign triggers, it may be possible for this to be legitimate traffic.

102
Views
0
Helpful
1
Replies