TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
In the Network Sensor 7.0 release the HTTP_Shells signature was changed to be multiple more specific events, and you should see improved performance. As for HTTP_Cisco_Catalyst_Exec, there is a configuration option outlined in the help file that will enable you to exclude directories of your choice for this event. This should correct your issue with Amazon.com. -Jamie -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 1:42 PM To: rajesh vasudevan Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Is it worth keeping Http Shell signature in network sensors? TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- We've seen almost completely false positives here as well, especially related to Yahoo! (evidently some of their graphics files have a directory called "sh" in the path), and the Java problem is even more egregious. We have similar problems with the HTTP_Cisco_Catalyst_Exec signature and Amazon.com, since the signature triggers on any URL where the object starts with "/exec". Both of these signatures are overly broad IMO and should be tightened to reduce the false positive rate. "rajesh vasudevan" <rajeshvasudevan@h To: [EMAIL PROTECTED] otmail.com> cc: Sent by: Subject: Is it worth keeping Http Shell signature in network sensors? owner-issforum@iss .net 06/25/2002 02:13 AM TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi, This is about HTTP_SHELL signature, which I feel not doing its function. This signature is capturing the traffic with URLs which contains "sh" or "java". Real secure gives an explanation to the event that this signature detects an attempt to get shells to execute commands. But if the signature detects any URL with entries like "/docs/api/java/util/Date.html" as an attempt to invoke Shell interpreter, then it raises a serious concern about the reliability of that signature. So far I couldn't find a single attempt related to this event which seems to be a genuine one. I had gone through the mailing list archives also, I could see the same queries were raised before.. But nobody ( even ISS Support) could give a clear explanation about this or any modification on this signature. I request you to give your feedbacks / experience on this signature, so that if this signature proves to be useless, then I need to remove it from the policy file and hence I can save a good amount of hard disk space !!! Cheers Rajesh _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
