Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
0
Helpful
3
Replies

Sig 5120

ktimm
Level 1
Level 1

‎11-27-2001 01:41 PM - edited ‎03-08-2019 09:17 PM

Does Signature 5120 falsely trigger ? I have seen it trigger on ports other than 24326 namely port 80.

Labels:
0 Helpful
3 Replies 3

marcabal
Cisco Employee
Cisco Employee

‎11-27-2001 02:41 PM

This is an expected flase trigger.

Because the signature is for a web server (running on port 24326) the http requests must be deobfuscated to allow the best protection of hte web server.

So it would be the best solution if the signature only monitored port 5120, but because if internal methods within the sensor the only way to ensure deobfuscation was being done for packets sent to port 24326 we had to add port 24326 to our standard list of web ports. Now all web signatures watch all of the listed web ports. So 5120 is monitored for on port 24326 as well as the other standard web ports. By the same token the other web sigs are monitored on the standard web ports as 24326.

One more reason we had to do this is because the server does not have to necessarily run on 24326, it could be changed ot any port so our implementation had to allow for an editable port list on which http deobfuscation would be done.

So you are correct, that in your environment this is likely a false trigger if you are not running the vulnerable web server on that port.

You can either Exclude that web server address where the web server is runnning on port 80, or even disable the entire signature if you do not have any vulnerable web servers.

0 Helpful

mcerha
Level 3
Level 3
In response to marcabal

‎11-28-2001 09:14 AM

Could you possibly give us a list of source / destination port pairs for the alarms you've seen? Also, what platform are you getting these alarms from, IDSM or Appliance?

0 Helpful

ktimm
Level 1
Level 1
In response to mcerha

‎11-28-2001 10:46 AM

All were to destination port 80 on the 3.0 sensor platform. Source ports varied. The earlier explanation was fine as to why it triggers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents