Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Sig. 3217 - false positive?

Found 3217 triggered on 'referal' field in the HTTP request.

Example:

XXX.170.1.72 - - [29/Oct/2001:23:23:48 -0800] "GET /top.html HTTP/1.0" 200 876 "http://www.theitportal.com/ITPFrameSetBottom.asp?Comp=LifeSupportal.com&Path=http://www.lifesupportal.com/cgi-bin/php.cgi/jobsearch.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"

Is it the only signature in IDS 3.0 or any other HTTP signature will work in the same way?

2 REPLIES
New Member

Re: Sig. 3217 - false positive?

Got the same situation with signature 5074:

XXX.XXX.XXX.XXX - - [02/Nov/2001:08:03:46 -0800] "GET / HTTP/1.1" 304 - "http://www.search123.com/cgi-bin/ksearch.cgi?AID=XXX&BRAND=&SESSION_ID=XXXXXXXX" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"

Anyway to tune HTTP-related signatures do not to look at referrer field?

Cisco Employee

Re: Sig. 3217 - false positive?

False positive alarms from the referrer field is a known issue and is fixed in the 3.0(3) release which is now in the QA process. We have expanded the HTTP decoding facilities in this next service pack.

113
Views
0
Helpful
2
Replies