Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Resurgence of SIG ID 5053 (vti_bin list attempts)

Anyone else seen a resurgence of the vti_bin list attempt (SigID 5053)? Ever since I've applied S40 to my IDS appliances, I'm getting flooded with these alerts. Did Cisco tune this signature and fail to included the change in the README?

Would appreciate response from anybody.

Thanks -

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Resurgence of SIG ID 5053 (vti_bin list attempts)

There was a change in the regex for S40. This was done to fix a false negative issue. Now, it is causing false positives. We are looking into this. 5053 is intended to be a generic signature with the intent that all accesses to the /_vti_bin directory are suspicious. This may not be true for all environments. Our current plan is to reduce the default severity for 5053 to a 3 and update the documentation in the NSDB to state that there may be false positives in some environments. We will also look to add more specific FrontPage exploits in the future to cover this area.

3 REPLIES
New Member

Re: Resurgence of SIG ID 5053 (vti_bin list attempts)

Observe the same,

number of 5053 alerts jumped from 0 to 50 per day.

New Member

Re: Resurgence of SIG ID 5053 (vti_bin list attempts)

I'm seeing about 400 a day here from none since I installed S40.

Bronze

Re: Resurgence of SIG ID 5053 (vti_bin list attempts)

There was a change in the regex for S40. This was done to fix a false negative issue. Now, it is causing false positives. We are looking into this. 5053 is intended to be a generic signature with the intent that all accesses to the /_vti_bin directory are suspicious. This may not be true for all environments. Our current plan is to reduce the default severity for 5053 to a 3 and update the documentation in the NSDB to state that there may be false positives in some environments. We will also look to add more specific FrontPage exploits in the future to cover this area.

251
Views
0
Helpful
3
Replies
This widget could not be displayed.