https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110308#M78865 <HTML><HEAD></HEAD><BODY><P>To enable Cisco IOS URL filtering, use the urlfilter command in policy-map-class configuration mode. To disable URL filtering, use the no form of this command. </P><P>urlfilter parameter-map-name </P><P>no urlfilter parameter-map-name</P></BODY></HTML> Tue, 09 Sep 2008 15:06:29 GMT sadbulali 2008-09-09T15:06:29Z https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110307#M78864 <P>Im sure everyone has figured out what to do with this signature. It fires a lot due to the code (ad revolver) used on some high traffic websites like lanebryant. </P><P></P><P>Intelli Shield recommends we filter out webservers hosting non-ASCII web pages.</P><P></P><P>How am I supposed to know what webservers are hosting non-ASCII web pages? How can you filter this? I hate to disable this sig because it represents a high risk exploit, but so many false positives.. what have you done with 5477 - 2 ?</P><P></P><P>Description of 5477 / 2:</P><P>This signature fires on detecting unicode-encoded escape sequences in HTML pages. This is a common way to load values into memory and is frequently used in buffer overflow exploits. While the use of unescape() does not indicate anything malicious has occurred, further investigation may be warranted. This signature is also a component of META signature 5556-4. </P><P></P><P>Recommended Filters</P><P>Filter webservers hosting non-ASCII web pages.</P><P></P><P>Benign Triggers</P><P>Benign triggers have been identified with HTML pages represented in non-ASCII characters. </P><P></P><P>Many thanks</P> Sun, 10 Mar 2019 11:17:03 GMT https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110307#M78864 kutukutu9 2019-03-10T11:17:03Z https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110308#M78865 <HTML><HEAD></HEAD><BODY><P>To enable Cisco IOS URL filtering, use the urlfilter command in policy-map-class configuration mode. To disable URL filtering, use the no form of this command. </P><P>urlfilter parameter-map-name </P><P>no urlfilter parameter-map-name</P></BODY></HTML> Tue, 09 Sep 2008 15:06:29 GMT https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110308#M78865 sadbulali 2008-09-09T15:06:29Z https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110309#M78866 <HTML><HEAD></HEAD><BODY><P>In Sig release 354 Cisco has removed the 'Produce Alert' from this signature:</P><P></P><P>S354 Release Notes:</P><P></P><P>5.x, 6.x5477.2 Possible Heap Payload Construction STRING-TCP High True </P><P></P><P>5477.2 "produce-alert" event-action was removed.</P><P></P><P>Just upgrade to reduce the noise.</P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P><P></P><P></P></BODY></HTML> Sat, 13 Sep 2008 07:26:22 GMT https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110309#M78866 Farrukh Haroon 2008-09-13T07:26:22Z https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110310#M78867 <HTML><HEAD></HEAD><BODY><P>That makes me wonder what good is it to leave a signature enabled but not producing alerts or any other event for that matter? Wasting CPU yes?</P></BODY></HTML> Mon, 15 Sep 2008 11:59:03 GMT https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110310#M78867 kutukutu9 2008-09-15T11:59:03Z https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110311#M78868 <HTML><HEAD></HEAD><BODY><P>I tried replying earlier, not sure if it's going to make it;-) That signature is part of a META signature 5556-4, so removing the action prevents it from firing on its own (we disabled a long time ago due to high false positive rate). If you disable/retire it, you'll have to deal with 5556-4 as well.</P></BODY></HTML> Mon, 15 Sep 2008 12:17:42 GMT https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110311#M78868 mhellman 2008-09-15T12:17:42Z https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110312#M78869 <HTML><HEAD></HEAD><BODY><P>The signature is still used as a meta component in several signatures.</P></BODY></HTML> Mon, 15 Sep 2008 14:20:47 GMT https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110312#M78869 craiwill 2008-09-15T14:20:47Z https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110313#M78870 <HTML><HEAD></HEAD><BODY><P>You mean more than just the one indicated? I don't see how that's possible because intellishield.cisco.com only mentions the one (I laugh in Cisco's general direction). I'm not aware of any way to list which META signatures a component sig is part of, so perhaps you could list the relevant META sigs here?</P></BODY></HTML> Mon, 15 Sep 2008 14:41:23 GMT https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110313#M78870 mhellman 2008-09-15T14:41:23Z https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110314#M78871 <HTML><HEAD></HEAD><BODY><P>I'll update the documentation shortly. </P><P></P><P>This signature is also a component of the following META signatures: 5556-4, 6279-0, 6297-0, 6298-0, 6403-0, 6408-0, 6409-0, 6410-0, 6524-0, 6534-0, 6535-0, 6536-0, 6544-0, 6794-0, 6795-0, 6930-0, 6940-0, 6942-0, 6988-0, 6990-0, 7206-0, 7209-0, 7229-0 and 7237-0.</P></BODY></HTML> Tue, 16 Sep 2008 17:31:30 GMT https://community.cisco.com/t5/network-security/5477-2-possible-heap-how-did-you-handle-it/m-p/1110314#M78871 craiwill 2008-09-16T17:31:30Z