Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
1
Replies

Telnet Environment Variable Disclosure & AS/400

mlowery
Level 1
Level 1

‎08-02-2005 03:48 AM - edited ‎03-10-2019 01:34 AM

With signature update 176, I am getting alerted constantly on this sigID: 5526. The evironment has an AS400 that the clients access using IBM's Client Access software (uses Telnet).

Yesterday, all of the passwords expired and the users were required to change their passwords.

Why would this signature be triggered by this? It is obviously a false positive, but it has freaked out the upper management...

Thanks,

Michael

Labels:
0 Helpful
1 Reply 1

aroethli
Level 1
Level 1

‎08-02-2005 01:44 PM

Michael,

Thank you for your inquiry.

Signature 5526.0 looks for non-standard or unusual telnet environment variable commands issued from the server to the telnet client. These are not necessarily malicious.

Unfortunately some server implementations may cause the current version of this signature to fire, even though the cause may be benign.

We have been made aware of this behavior and are modifying 5526.0 for the next signature release to address this issue.

In the meantime you can tune this signature by disabling it or apply filters as needed to reduce false positives.

Thank you again, and please let us know if you have any other questions.

Al Roethlisberger

IPS Signature Development Team

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card