Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
0
Helpful
1
Replies

ID: 5124

Go to solution
darin.marais
Level 4
Level 4

‎03-03-2004 07:40 AM - edited ‎03-09-2019 06:37 AM

My client is running signature set S74 on a VMS 2.2 with idsmon 1.2.3 and version 3.1(5) sensors.

The IEV receives an event for “IIS CGI Double Decode ID: 5124 Sub ID: 1”. Upon checking the content buffer for the event, the following string is observed. (http://x/x/x/x%252Fxxx.jsp)

My question is as follows:

The buffer contains a %252F and this has triggered the event

Does the sub-signature look for %2F as an exact match?

or

Can there be spaces and characters in the middle of the 2 and the F (as are found in the buffer[52]) and still trigger the event.

Has the signature triggered correctly?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mcerha
Level 3
Level 3

‎03-03-2004 08:27 AM

The signature is looking for a literal "[%][2][5][2][Ff]" pattern in the URI. Per the regex, no spaces or other characters can be the sequence. From the observed string, the signature appears to have fired properly. While we do not know of any benign triggers, it may be possible for this to be legitimate traffic.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
mcerha
Level 3
Level 3

‎03-03-2004 08:27 AM

The signature is looking for a literal "[%][2][5][2][Ff]" pattern in the URI. Per the regex, no spaces or other characters can be the sequence. From the observed string, the signature appears to have fired properly. While we do not know of any benign triggers, it may be possible for this to be legitimate traffic.

0 Helpful
Customers Also Viewed These Support Documents