Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
3
Replies

Resurgence of SIG ID 5053 (vti_bin list attempts)

Go to solution
8rpalmer
Level 1
Level 1

‎02-25-2003 08:46 AM - edited ‎03-09-2019 02:14 AM

Anyone else seen a resurgence of the vti_bin list attempt (SigID 5053)? Ever since I've applied S40 to my IDS appliances, I'm getting flooded with these alerts. Did Cisco tune this signature and fail to included the change in the README?

Would appreciate response from anybody.

Thanks -

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mcerha
Level 3
Level 3

‎02-25-2003 02:53 PM

There was a change in the regex for S40. This was done to fix a false negative issue. Now, it is causing false positives. We are looking into this. 5053 is intended to be a generic signature with the intent that all accesses to the /_vti_bin directory are suspicious. This may not be true for all environments. Our current plan is to reduce the default severity for 5053 to a 3 and update the documentation in the NSDB to state that there may be false positives in some environments. We will also look to add more specific FrontPage exploits in the future to cover this area.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
DSmirnov
Level 1
Level 1

‎02-25-2003 09:03 AM

Observe the same,

number of 5053 alerts jumped from 0 to 50 per day.

0 Helpful

Go to solution
mjuckett
Level 1
Level 1
In response to DSmirnov

‎02-25-2003 10:06 AM

I'm seeing about 400 a day here from none since I installed S40.

0 Helpful

Go to solution
mcerha
Level 3
Level 3

‎02-25-2003 02:53 PM

There was a change in the regex for S40. This was done to fix a false negative issue. Now, it is causing false positives. We are looking into this. 5053 is intended to be a generic signature with the intent that all accesses to the /_vti_bin directory are suspicious. This may not be true for all environments. Our current plan is to reduce the default severity for 5053 to a 3 and update the documentation in the NSDB to state that there may be false positives in some environments. We will also look to add more specific FrontPage exploits in the future to cover this area.

0 Helpful
Customers Also Viewed These Support Documents