TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
We've seen almost completely false positives here as well, especially
related to Yahoo! (evidently some of their graphics files have a directory
called "sh" in the path), and the Java problem is even more egregious.
We have similar problems with the HTTP_Cisco_Catalyst_Exec signature and
Amazon.com, since the signature triggers on any URL where the object starts
with "/exec". Both of these signatures are overly broad IMO and should be
tightened to reduce the false positive rate.
"rajesh vasudevan"
<rajeshvasudevan@h To: [EMAIL PROTECTED]
otmail.com> cc:
Sent by: Subject: Is it worth keeping Http
Shell signature in network sensors?
owner-issforum@iss
.net
06/25/2002 02:13
AM
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Hi,
This is about HTTP_SHELL signature, which I feel not doing its function.
This signature is capturing the traffic with URLs which contains "sh" or
"java". Real secure gives an explanation to the event that this signature
detects an attempt to get shells to execute commands.
But if the signature detects any URL with entries like
"/docs/api/java/util/Date.html" as an attempt to invoke Shell interpreter,
then it raises a serious concern about the reliability of that signature.
So far I couldn't find a single attempt related to this event which seems
to be a genuine one.
I had gone through the mailing list archives also, I could see the same
queries were raised before.. But nobody ( even ISS Support) could give a
clear explanation about this or any modification on this signature.
I request you to give your feedbacks / experience on this signature, so
that
if this signature proves to be useless, then I need to remove it from the
policy file and hence I can save a good amount of hard disk space !!!
Cheers
Rajesh
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
