03-03-2004 07:40 AM - edited 03-09-2019 06:37 AM
My client is running signature set S74 on a VMS 2.2 with idsmon 1.2.3 and version 3.1(5) sensors.
The IEV receives an event for IIS CGI Double Decode ID: 5124 Sub ID: 1. Upon checking the content buffer for the event, the following string is observed. (http://x/x/x/x%252Fxxx.jsp)
My question is as follows:
The buffer contains a %252F and this has triggered the event
Does the sub-signature look for %2F as an exact match?
or
Can there be spaces and characters in the middle of the 2 and the F (as are found in the buffer[52]) and still trigger the event.
Has the signature triggered correctly?
Solved! Go to Solution.
03-03-2004 08:27 AM
The signature is looking for a literal "[%][2][5][2][Ff]" pattern in the URI. Per the regex, no spaces or other characters can be the sequence. From the observed string, the signature appears to have fired properly. While we do not know of any benign triggers, it may be possible for this to be legitimate traffic.
03-03-2004 08:27 AM
The signature is looking for a literal "[%][2][5][2][Ff]" pattern in the URI. Per the regex, no spaces or other characters can be the sequence. From the observed string, the signature appears to have fired properly. While we do not know of any benign triggers, it may be possible for this to be legitimate traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide