Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
2
Replies

IDS Signature Help

maxwell_noel
Level 1
Level 1

‎04-04-2005 01:32 AM - edited ‎03-10-2019 01:22 AM

Hi All,

Could somebody advice me any tips and tricks to handle the following signaturs or any extra information to handle these. What are the measures that can be take to control the below list of signatures. I know there are inormation on the NSDB, I am expecting something more from you guys.

Shell Code in HTTP URL/Args

MS IE help overflow

Backdoor response (TCP 5190)

Long HTTP Request

WWW IIS Double decoder error

Regards

Maxwell Noel

Labels:
0 Helpful
2 Replies 2

craiwill
Cisco Employee
Cisco Employee

‎04-04-2005 04:54 AM

I’m not really sure what kind of information you’re looking for; if you could be more specific I would be happy to answer any questions you may have. In the meantime here is a brief description of these signatures.

Signatures 5366.x look for an attempt to overflow an HTTP get request by sending shell code (non-printable) to in a request to the server.

Signature 5351 looks for an attempt to overflow a call to MS help by overflowing the ‘value’ argument.

Signature 9232, which is disabled by default, simply looks for a syn-ack from port 5190.

Signatures 5322.x look for a long HTTP request by examining the (.1) arguments field and (.0) the URI field.

Signature 5124 looks for a request being sent to a server that could exploit the IIS decode bug. The signature description in the NSDB states that: “This signature triggers when an doubly obfuscated attempt to traverse the directory structure of a web server is detected. Certain versions of the IIS web server perform a second pass decode of the arguments passed to a CGI program. During this second pass decode, the IIS server erroneously reevaluates the already decoded path portion of the URL. An attacker can manipulate the path portion of a URL in such a way as to hide characters, such as ../, which would normally be filtered out during the first pass decode of the URL. This signature will alarm if the following characters are found in a deobfuscated HTTP request.”

0 Helpful

maxwell_noel
Level 1
Level 1
In response to craiwill

‎04-04-2005 05:24 AM

Thank You very Much

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card