Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Sig 5120

Does Signature 5120 falsely trigger ? I have seen it trigger on ports other than 24326 namely port 80.

Cisco Employee

Re: Sig 5120

This is an expected flase trigger.

Because the signature is for a web server (running on port 24326) the http requests must be deobfuscated to allow the best protection of hte web server.

So it would be the best solution if the signature only monitored port 5120, but because if internal methods within the sensor the only way to ensure deobfuscation was being done for packets sent to port 24326 we had to add port 24326 to our standard list of web ports. Now all web signatures watch all of the listed web ports. So 5120 is monitored for on port 24326 as well as the other standard web ports. By the same token the other web sigs are monitored on the standard web ports as 24326.

One more reason we had to do this is because the server does not have to necessarily run on 24326, it could be changed ot any port so our implementation had to allow for an editable port list on which http deobfuscation would be done.

So you are correct, that in your environment this is likely a false trigger if you are not running the vulnerable web server on that port.

You can either Exclude that web server address where the web server is runnning on port 80, or even disable the entire signature if you do not have any vulnerable web servers.


Re: Sig 5120

Could you possibly give us a list of source / destination port pairs for the alarms you've seen? Also, what platform are you getting these alarms from, IDSM or Appliance?

New Member

Re: Sig 5120

All were to destination port 80 on the 3.0 sensor platform. Source ports varied. The earlier explanation was fine as to why it triggers.

CreatePlease to create content