Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
0
Helpful
1
Replies

IDS Sig 4058 question

g-pfeiffer
Level 1
Level 1

‎04-29-2005 12:04 PM - edited ‎03-10-2019 01:25 AM

Sig 4058 subsig 1 (IDS Signature UPnP LOCATION Overflow) was triggered on one of our sensors as what appears to me to be a false positive. From what I understand, the sig fires on a payload of 116 characters or more to service port 5000 TCP. The destination port was tcp 5000 and the context of the alert triggered was:

http://64.4.18.250/cgi-bin/getmsg/IMG_0091.JPG?curmbox=F000000004&a=46c002caa67737093a99d6df1e381c77&msg=MSG1114736378.24&start=169086&len=7145246&mimepart=7&disk=64.4.18.31_d1261&login=m_dinino&domain=hotmail%2ecom&_lang=EN&count

Is it just a long payload to port 5000 that alerted this or is there something that I am missing?

Labels:
0 Helpful
1 Reply 1

wsulym
Cisco Employee
Cisco Employee

‎05-01-2005 06:14 PM

Signature 4058.1 has hidden parameters and we can't disclose that information. As the signature description reads, 4058.1 triggers upon detecting a large location request sent to a UPnP device. This subsignature looks for requests to TCP port 5000.

However, I can say that what you have here from the context buffer would not have triggered the alarm by itself. There's something else in the stream that cause the alert to trigger - if you happen to have a pcap of the session, I'd be happy to take a look at it. If not, judging from the information you have here, this is most likely a false positive.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card