Sig. 5249&5250. IDS Evasive Double Encoding. Strange/Wrong approach?

DSmirnov · ‎05-07-2003

Guys,

having a problem to define policies for 5249 and 5250. Based on payload I see "normal" CodeRed-like attacks and some unique things triggering these signatures.

We don't want to process "worm" attacks (just report them) but to investigate unique things. And looks like I have no choice but to disable 5249/5250 since I observe too many alerts for both types of attacks in single signature.

To be on a safe side: if cmd.exe Encoded in URL - will 5250 fire together with 5081 or just 5250?

jsivulka · ‎05-13-2003

I guess outright disabling of the alarm might not be a good idea. A much more desirable option would be to fine tune the sensor settings. For more information on the same, please see the document Tuning Sensor Signatures at

http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_chapter09186a0080104f0f.html

mcerha · ‎05-14-2003

5249 and 5250 are supposed to be "a string of tin cans" kind of alarms. They are intended to provide a warning that something strange is going on. 5250 in particular of the two is a really a sign of bad things. Unfortunately, Code Red will set these off. In the future, we are working towards aggregating alarms which belong to the same attack, and just report one event. Instead of turning these events off, you might consider reducing the severity. Then, signatures like 5081 will stand out more. Lastly, 5250 will only fire with a 5081 if someone was accessing cmd.exe and using a double-encoded . or / character to traverse the directory.