5610-0 false positives

mhellman · ‎01-25-2006

I don't understand why this is firing. It looks like it should only fire if there is a non-numeric value for the query parameter graph_start...which there isn't. Here are the details.

Arg Name Regex: [Gg][Rr][Aa][Pp][Hh][_][Ss][Tt][Aa][Rr][Tt][=]

Arg Value Regex: [^0-9]+

And here is the context:

fromAttacker:

000000 47 45 54 20 2F 63 61 63 74 69 2F 67 72 61 70 68 GET /cacti/graph

000010 5F 69 6D 61 67 65 2E 70 68 70 3F 6C 6F 63 61 6C _image.php?local

000020 5F 67 72 61 70 68 5F 69 64 3D 31 36 31 26 72 72 _graph_id=161&rr

000030 61 5F 69 64 3D 30 26 67 72 61 70 68 5F 68 65 69 a_id=0&graph_hei

000040 67 68 74 3D 31 30 30 26 67 72 61 70 68 5F 77 69 ght=100&graph_wi

000050 64 74 68 3D 33 30 30 26 67 72 61 70 68 5F 6E 6F dth=300&graph_no

000060 6C 65 67 65 6E 64 3D 74 72 75 65 26 76 69 65 77 legend=true&view

000070 5F 74 79 70 65 3D 74 72 65 65 26 67 72 61 70 68 _type=tree&graph

000080 5F 73 74 61 72 74 3D 31 31 33 38 31 33 31 39 39 _start=113813199

000090 36 26 67 72 61 70 68 5F 65 6E 64 3D 31 31 33 38 6&graph_end=1138

0000A0 32 31 38 33 39 36 20 48 54 54 50 2F 31 2E 31 0D 218396 HTTP/1.1.

riskRatingValue: 65

interface: ge0_0

protocol: tcp

wsulym · ‎01-25-2006

Thankyou for bringing this to our attention, it is indeed a false positive. This has been assigned bug id CSCsd16754 and will be addressed in the S215 release.