11-27-2001 01:41 PM - edited 03-08-2019 09:17 PM
Does Signature 5120 falsely trigger ? I have seen it trigger on ports other than 24326 namely port 80.
11-27-2001 02:41 PM
This is an expected flase trigger.
Because the signature is for a web server (running on port 24326) the http requests must be deobfuscated to allow the best protection of hte web server.
So it would be the best solution if the signature only monitored port 5120, but because if internal methods within the sensor the only way to ensure deobfuscation was being done for packets sent to port 24326 we had to add port 24326 to our standard list of web ports. Now all web signatures watch all of the listed web ports. So 5120 is monitored for on port 24326 as well as the other standard web ports. By the same token the other web sigs are monitored on the standard web ports as 24326.
One more reason we had to do this is because the server does not have to necessarily run on 24326, it could be changed ot any port so our implementation had to allow for an editable port list on which http deobfuscation would be done.
So you are correct, that in your environment this is likely a false trigger if you are not running the vulnerable web server on that port.
You can either Exclude that web server address where the web server is runnning on port 80, or even disable the entire signature if you do not have any vulnerable web servers.
11-28-2001 09:14 AM
Could you possibly give us a list of source / destination port pairs for the alarms you've seen? Also, what platform are you getting these alarms from, IDSM or Appliance?
11-28-2001 10:46 AM
All were to destination port 80 on the 3.0 sensor platform. Source ports varied. The earlier explanation was fine as to why it triggers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide