Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
3
Replies

False positive on Sig 5316.0?

lazork222
Level 1
Level 1

‎05-18-2006 07:45 AM - edited ‎03-10-2019 03:01 AM

Can someone explain why this signature is firing for me?

This signature is supposed to fire when the string "/ext.dll.*a0=add" is seen.

I am seeing an Attacker context of "http://<server name>/<Sub Dir>/maext.dll"

To me it doesn't seem like this should be firing on this syntax because the ext.dll is not preceeded by a "/" it is preceeded by the "ma"

Can anyone help explain this to me?

Labels:
0 Helpful
3 Replies 3

ebreniz
Level 6
Level 6

‎05-24-2006 09:03 AM

The signature seems to be firing once it sees all the characters in the signature, irrespective of the exact string. That is, as soon as the signature captures all the characters in the signature, it fires. I too feel that this should not be happening this way. Any other thoughts?

0 Helpful

wsulym
Cisco Employee
Cisco Employee

‎05-24-2006 11:47 AM

Thanks for bringing this to our attention, there appears to be an error in the regex leading to false positives. I'll look into it.

0 Helpful

wsulym
Cisco Employee
Cisco Employee

‎05-24-2006 12:05 PM

This is identified by bugID CSCse34194. SIgnature update s230 will contain the modified signature.

Thanks again for bringing this up.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card