topic Re: Telnet Environment Variable Disclosure & AS/400 in Network Security https://community.cisco.com/t5/network-security/telnet-environment-variable-disclosure-as-400/m-p/442395#M100097 <HTML><HEAD></HEAD><BODY><P></P><P>Michael,</P><P></P><P>Thank you for your inquiry.</P><P></P><P>Signature 5526.0 looks for non-standard or unusual telnet environment variable commands issued from the server to the telnet client. These are not necessarily malicious.</P><P></P><P>Unfortunately some server implementations may cause the current version of this signature to fire, even though the cause may be benign.</P><P></P><P>We have been made aware of this behavior and are modifying 5526.0 for the next signature release to address this issue.</P><P></P><P>In the meantime you can tune this signature by disabling it or apply filters as needed to reduce false positives.</P><P></P><P>Thank you again, and please let us know if you have any other questions.</P><P></P><P></P><P>Al Roethlisberger</P><P>IPS Signature Development Team</P><P></P></BODY></HTML> Tue, 02 Aug 2005 20:44:12 GMT aroethli 2005-08-02T20:44:12Z Telnet Environment Variable Disclosure & AS/400 https://community.cisco.com/t5/network-security/telnet-environment-variable-disclosure-as-400/m-p/442394#M100089 <P>With signature update 176, I am getting alerted constantly on this sigID: 5526. The evironment has an AS400 that the clients access using IBM's Client Access software (uses Telnet). </P><P></P><P>Yesterday, all of the passwords expired and the users were required to change their passwords.</P><P></P><P>Why would this signature be triggered by this? It is obviously a false positive, but it has freaked out the upper management...</P><P></P><P>Thanks,</P><P>Michael</P> Sun, 10 Mar 2019 09:34:08 GMT https://community.cisco.com/t5/network-security/telnet-environment-variable-disclosure-as-400/m-p/442394#M100089 mlowery 2019-03-10T09:34:08Z Re: Telnet Environment Variable Disclosure & AS/400 https://community.cisco.com/t5/network-security/telnet-environment-variable-disclosure-as-400/m-p/442395#M100097 <HTML><HEAD></HEAD><BODY><P></P><P>Michael,</P><P></P><P>Thank you for your inquiry.</P><P></P><P>Signature 5526.0 looks for non-standard or unusual telnet environment variable commands issued from the server to the telnet client. These are not necessarily malicious.</P><P></P><P>Unfortunately some server implementations may cause the current version of this signature to fire, even though the cause may be benign.</P><P></P><P>We have been made aware of this behavior and are modifying 5526.0 for the next signature release to address this issue.</P><P></P><P>In the meantime you can tune this signature by disabling it or apply filters as needed to reduce false positives.</P><P></P><P>Thank you again, and please let us know if you have any other questions.</P><P></P><P></P><P>Al Roethlisberger</P><P>IPS Signature Development Team</P><P></P></BODY></HTML> Tue, 02 Aug 2005 20:44:12 GMT https://community.cisco.com/t5/network-security/telnet-environment-variable-disclosure-as-400/m-p/442395#M100097 aroethli 2005-08-02T20:44:12Z