Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Strange one: 5191

Description: The Signature triggers when a filename greater than 300 characters is seen in a URL with .pl extension.

Got the alert on URL like: http://www.example.com/scr.pl&a=1&b=2&c=3&...

Looks like it doesn't check the filename but checks total URL length.

2 REPLIES
Bronze

Re: Strange one: 5191

What release of CSIDS are you using? Also, could you provide any traffic samples? If so, please feel free to send them to mcerha@cisco.com.

New Member

Re: Strange one: 5191

You are seeing this false positive because the arguments after scr.pl are not seperated with a hook (?), but instead by an ampersand (&) which is usually only used to separate arguments. Since this is a non-standard webserver I would suggest that you use the RecordOfExcludedAddress and exclude that webserver from alarm 5191.

84
Views
0
Helpful
2
Replies
CreatePlease to create content