Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1412
Views
0
Helpful
6
Replies

NIDS HTTP evasion - Signature 24339

PWCSinfosec
Level 1
Level 1

‎02-24-2010 07:08 AM - edited ‎03-10-2019 04:53 AM

Hello,

Last night and this morning after the latest signature release s472 I have been getting hammered with alerts from this signature - nids http evasion - signature 24339.  The description says it fires on the occurence of %3f in the URL.  The description also says there are no known begnin alerts, however I am not sure that is the case.  I have attached the a few random packet captures from the IPS that this signature is firing on.  Anyone else seeing this?

Labels:
61418-packet info.txt.zip
0 Helpful
6 Replies 6

scottyschafer
Level 1
Level 1

‎02-24-2010 07:22 AM

I to am experiencing the same thing, however, most of mine seem to be tripping when the other side is Google which i find odd....I am trying to figure out what the end users are doing to cause the signature to fire but so far have not been able to recreate.

0 Helpful

JonPBerbee
Level 1
Level 1
In response to scottyschafer

‎02-24-2010 08:27 AM

We have seen this as well for a few of our customers going to various different websites.  All the alerts we've looked at so far have been false positives.  For example several alerts are being generated by users looking for information about different vehicles.

0 Helpful

PWCSinfosec
Level 1
Level 1
In response to JonPBerbee

‎02-24-2010 09:53 AM

Most of what I am seeing is the same thing, various websites, searches but most are doubleclick adds.. Attached is the full packet info of the common alert I am getting.

61434-24339_packet.txt.zip
0 Helpful

wsulym
Cisco Employee
Cisco Employee

‎02-24-2010 10:28 AM

Lets see if I can fill in a few gaps here... The signature went thru a couple revisions before the version released in s472. We took care of a couple false positives we saw and the signature had been running clean as of the last modification. So at the time if release, we knew of no other benign triggers, that is now obviously not the case. The signature is meant to trigger on whisker's anti-IDS parameter hiding tactic, which it does, but it also triggers on some URL encoding in the URI. We're going to turn it off in the upcoming release, and benign triggers updated. And its also showing me that we've got a bit of a gap in some traffic representation on our test sensors.

0 Helpful

PWCSinfosec
Level 1
Level 1
In response to wsulym

‎02-24-2010 10:44 AM

Thanks for the response and information.  Would you like my collection of packet captures from the ips for your investigation into the false positives?

0 Helpful

wsulym
Cisco Employee
Cisco Employee
In response to PWCSinfosec

‎02-24-2010 10:55 AM

No, I think I'm good... I saw what you had uploaded and the other upload to the thread as well - all very similar to a few of the others I'm seeing elsewhere. Thanks for the offer though.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card