02-25-2003 08:46 AM - edited 03-09-2019 02:14 AM
Anyone else seen a resurgence of the vti_bin list attempt (SigID 5053)? Ever since I've applied S40 to my IDS appliances, I'm getting flooded with these alerts. Did Cisco tune this signature and fail to included the change in the README?
Would appreciate response from anybody.
Thanks -
Solved! Go to Solution.
02-25-2003 02:53 PM
There was a change in the regex for S40. This was done to fix a false negative issue. Now, it is causing false positives. We are looking into this. 5053 is intended to be a generic signature with the intent that all accesses to the /_vti_bin directory are suspicious. This may not be true for all environments. Our current plan is to reduce the default severity for 5053 to a 3 and update the documentation in the NSDB to state that there may be false positives in some environments. We will also look to add more specific FrontPage exploits in the future to cover this area.
02-25-2003 09:03 AM
Observe the same,
number of 5053 alerts jumped from 0 to 50 per day.
02-25-2003 10:06 AM
I'm seeing about 400 a day here from none since I installed S40.
02-25-2003 02:53 PM
There was a change in the regex for S40. This was done to fix a false negative issue. Now, it is causing false positives. We are looking into this. 5053 is intended to be a generic signature with the intent that all accesses to the /_vti_bin directory are suspicious. This may not be true for all environments. Our current plan is to reduce the default severity for 5053 to a 3 and update the documentation in the NSDB to state that there may be false positives in some environments. We will also look to add more specific FrontPage exploits in the future to cover this area.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide