TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
I also agree. The HTTP_Shells and Cisco alert referred to below should be tuned or removed as they are false 99.99% of the time in my environment. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 1:42 PM To: rajesh vasudevan Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Is it worth keeping Http Shell signature in network sensors? TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- We've seen almost completely false positives here as well, especially related to Yahoo! (evidently some of their graphics files have a directory called "sh" in the path), and the Java problem is even more egregious. We have similar problems with the HTTP_Cisco_Catalyst_Exec signature and Amazon.com, since the signature triggers on any URL where the object starts with "/exec". Both of these signatures are overly broad IMO and should be tightened to reduce the false positive rate. "rajesh vasudevan" <rajeshvasudevan@h To: [EMAIL PROTECTED] otmail.com> cc: Sent by: Subject: Is it worth keeping Http Shell signature in network sensors? owner-issforum@iss .net 06/25/2002 02:13 AM TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi, This is about HTTP_SHELL signature, which I feel not doing its function. This signature is capturing the traffic with URLs which contains "sh" or "java". Real secure gives an explanation to the event that this signature detects an attempt to get shells to execute commands. But if the signature detects any URL with entries like "/docs/api/java/util/Date.html" as an attempt to invoke Shell interpreter, then it raises a serious concern about the reliability of that signature. So far I couldn't find a single attempt related to this event which seems to be a genuine one. I had gone through the mailing list archives also, I could see the same queries were raised before.. But nobody ( even ISS Support) could give a clear explanation about this or any modification on this signature. I request you to give your feedbacks / experience on this signature, so that if this signature proves to be useless, then I need to remove it from the policy file and hence I can save a good amount of hard disk space !!! Cheers Rajesh _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
