Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDA Indexing Service overlow

i have the WWW IIS .ids Indexing Service Overflow enabled to detect CodeRed or similar .ida attacks. I still have the original String Signature for CodeRed that was released before the WWW signature was included in an update. My question is: I am still getting hits on the String signature and the .ida overflow signature. I thought that after the .ida overflow signature was released in the update that you could get rid of the String signature. I still see hits on it so it was questionable whether it could come out.

1 REPLY
Cisco Employee

Re: IDA Indexing Service overlow

The original custom strings are not as specific as the encoded signature for the .ida buffer overflow. The string that will be particularly noisy is the [.][Ii][Dd][Aa] string as it will alarm on any use of the indexing service. If you are worried purely about attacks designed to exercise the Buffer Overflow, then you can safely disable the custom strings. The embedded signature will catch all known variants of the Buffer Overflow.

108
Views
0
Helpful
1
Replies
CreatePlease login to create content