Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Sig. 5249&5250. IDS Evasive Double Encoding. Strange/Wrong approach?


having a problem to define policies for 5249 and 5250. Based on payload I see "normal" CodeRed-like attacks and some unique things triggering these signatures.

We don't want to process "worm" attacks (just report them) but to investigate unique things. And looks like I have no choice but to disable 5249/5250 since I observe too many alerts for both types of attacks in single signature.

To be on a safe side: if cmd.exe Encoded in URL - will 5250 fire together with 5081 or just 5250?


Re: Sig. 5249&5250. IDS Evasive Double Encoding. Strange/Wrong a

I guess outright disabling of the alarm might not be a good idea. A much more desirable option would be to fine tune the sensor settings. For more information on the same, please see the document Tuning Sensor Signatures at


Re: Sig. 5249&5250. IDS Evasive Double Encoding. Strange/Wrong a

5249 and 5250 are supposed to be "a string of tin cans" kind of alarms. They are intended to provide a warning that something strange is going on. 5250 in particular of the two is a really a sign of bad things. Unfortunately, Code Red will set these off. In the future, we are working towards aggregating alarms which belong to the same attack, and just report one event. Instead of turning these events off, you might consider reducing the severity. Then, signatures like 5081 will stand out more. Lastly, 5250 will only fire with a 5081 if someone was accessing cmd.exe and using a double-encoded . or / character to traverse the directory.