https://community.cisco.com/t5/network-security/ids-sig-4058-question/m-p/400361#M98156 <P>Sig 4058 subsig 1 (IDS Signature UPnP LOCATION Overflow) was triggered on one of our sensors as what appears to me to be a false positive. From what I understand, the sig fires on a payload of 116 characters or more to service port 5000 TCP. The destination port was tcp 5000 and the context of the alert triggered was:</P><P><A class="jive-link-custom" href="http://64.4.18.250/cgi-bin/getmsg/IMG_0091.JPG?curmbox=F000000004&amp;a=46c002caa67737093a99d6df1e381c77&amp;msg=MSG1114736378.24&amp;start=169086&amp;len=7145246&amp;mimepart=7&amp;disk=64.4.18.31_d1261&amp;login=m_dinino&amp;domain=hotmail%2ecom&amp;_lang=EN&amp;count" target="_blank">http://64.4.18.250/cgi-bin/getmsg/IMG_0091.JPG?curmbox=F000000004&amp;a=46c002caa67737093a99d6df1e381c77&amp;msg=MSG1114736378.24&amp;start=169086&amp;len=7145246&amp;mimepart=7&amp;disk=64.4.18.31_d1261&amp;login=m_dinino&amp;domain=hotmail%2ecom&amp;_lang=EN&amp;count</A></P><P>Is it just a long payload to port 5000 that alerted this or is there something that I am missing?</P> Sun, 10 Mar 2019 09:25:57 GMT g-pfeiffer 2019-03-10T09:25:57Z https://community.cisco.com/t5/network-security/ids-sig-4058-question/m-p/400361#M98156 <P>Sig 4058 subsig 1 (IDS Signature UPnP LOCATION Overflow) was triggered on one of our sensors as what appears to me to be a false positive. From what I understand, the sig fires on a payload of 116 characters or more to service port 5000 TCP. The destination port was tcp 5000 and the context of the alert triggered was:</P><P><A class="jive-link-custom" href="http://64.4.18.250/cgi-bin/getmsg/IMG_0091.JPG?curmbox=F000000004&amp;a=46c002caa67737093a99d6df1e381c77&amp;msg=MSG1114736378.24&amp;start=169086&amp;len=7145246&amp;mimepart=7&amp;disk=64.4.18.31_d1261&amp;login=m_dinino&amp;domain=hotmail%2ecom&amp;_lang=EN&amp;count" target="_blank">http://64.4.18.250/cgi-bin/getmsg/IMG_0091.JPG?curmbox=F000000004&amp;a=46c002caa67737093a99d6df1e381c77&amp;msg=MSG1114736378.24&amp;start=169086&amp;len=7145246&amp;mimepart=7&amp;disk=64.4.18.31_d1261&amp;login=m_dinino&amp;domain=hotmail%2ecom&amp;_lang=EN&amp;count</A></P><P>Is it just a long payload to port 5000 that alerted this or is there something that I am missing?</P> Sun, 10 Mar 2019 09:25:57 GMT https://community.cisco.com/t5/network-security/ids-sig-4058-question/m-p/400361#M98156 g-pfeiffer 2019-03-10T09:25:57Z https://community.cisco.com/t5/network-security/ids-sig-4058-question/m-p/400362#M98158 <HTML><HEAD></HEAD><BODY><P>Signature 4058.1 has hidden parameters and we can't disclose that information. As the signature description reads, 4058.1 triggers upon detecting a large location request sent to a UPnP device. This subsignature looks for requests to TCP port 5000.</P><P></P><P>However, I can say that what you have here from the context buffer would not have triggered the alarm by itself. There's something else in the stream that cause the alert to trigger - if you happen to have a pcap of the session, I'd be happy to take a look at it. If not, judging from the information you have here, this is most likely a false positive.</P><P></P><P></P></BODY></HTML> Mon, 02 May 2005 01:14:11 GMT https://community.cisco.com/t5/network-security/ids-sig-4058-question/m-p/400362#M98158 wsulym 2005-05-02T01:14:11Z