Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
1
Replies

False positive on sig 3161

stbob
Level 1
Level 1

‎04-30-2002 06:41 AM - edited ‎03-08-2019 10:28 PM

Sig 3161 (MKD overflow) triggered for one of my customers when he was replacing some cgi scripts. From NSDB:

This signature triggers when an attempt is detected to create or delete a directory during a FTP session using a path argument containing executable machine code, also know as shellcode. Subsig 0 watches for use of FTP 'MKD' command with shellcode in the path argument. Subsig 1 watches for use of the FTP 'DELE' command with shellcode in the path argument.

Is it possible that it is interpreting certain cgi filenames as shellcode simply because they are named similar to shellcode?

Labels:
0 Helpful
1 Reply 1

mcerha
Level 3
Level 3

‎04-30-2002 08:46 AM

It could be possible, but I'd think it would be rather unusual. We would need to see a traffic sample to definitively answer the question. You can send any traffic samples to mcerha@cisco.com, and I'll take a look at them for you.

0 Helpful
Customers Also Viewed These Support Documents