About j826430

j826430 · 08-01-2006

We had sig 5474 fire on two sensors. After looking at the packet and then the Regex in the sig, this just doesn't make sense to me.The Regex:([%]20|[=])[Ss][Ee][Ll][Ee][Cc][Tt]([%]20|[+])[^\r\n\x00-\x19\x7F-\xFF]+([%]20|[+])[Ff][Rr][Oo][Mm]([%]20|[+...

j826430 · 02-24-2006

I'm trying to figure out what in this signature is defining it as "proxied". I captured packets that triggered the sig, and all the packet data matches the trigger. I'm just missing what makes this an issue, and why. I've googled all over the plac...

j826430 · 02-21-2006

This softcart signature fired and I started investigating it. The signature itself states that it's supposed to be the Regexp + 500 chars. However, as I was browsing the site that generated the alerts, I was able to trigger this signature numerous ...

j826430 · 01-07-2009

Also been seeing these recently here. The trigger packets on the IPS all appear to be Javascript related. However, since we can't view the regex in the sig, it's difficult to determine what exaactly the sig is firing on. Masked regex's in the sigs...

Member Since	‎02-16-2006 09:32 AM
Date Last Visited	‎08-18-2017 03:54 AM
Posts	5

User Statistics

User Activity

Sig 5474 - Doesn't come close to packet contents

Sig 6103 ( Proxied RPC Request) - Help!

5307/0 - False Positives?

Re: DHL-USA.com <P>Microsoft Internet Explorer Method Parameter