Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
We had sig 5474 fire on two sensors. After looking at the packet and then the Regex in the sig, this just doesn't make sense to me.The Regex:([%]20|[=])[Ss][Ee][Ll][Ee][Cc][Tt]([%]20|[+])[^\r\n\x00-\x19\x7F-\xFF]+([%]20|[+])[Ff][Rr][Oo][Mm]([%]20|[+...
I'm trying to figure out what in this signature is defining it as "proxied". I captured packets that triggered the sig, and all the packet data matches the trigger. I'm just missing what makes this an issue, and why. I've googled all over the plac...
This softcart signature fired and I started investigating it. The signature itself states that it's supposed to be the Regexp + 500 chars. However, as I was browsing the site that generated the alerts, I was able to trigger this signature numerous ...
Also been seeing these recently here. The trigger packets on the IPS all appear to be Javascript related. However, since we can't view the regex in the sig, it's difficult to determine what exaactly the sig is firing on. Masked regex's in the sigs...
