TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
HTTP_Cisco_Catalyst_Exec can be tuned as follows for 6.x sensors: In the advanced tab of the policy editor, add the directory name (under /exec/) that you wish to ignore. Place a comma between multiple dirs. In my testing lab I've configured the following: obidos,abc,eat-at-joes,cool/stuff/here HTTP_Shells is on our list of decodes to review. I cannot promise that fixes will be in the next XPU (as matter of fact, it is highly likely that it will NOT be fixed in the next XPU), but we will do something for a future XPU. Thank you for the feedback. David Means -----Original Message----- From: Eric Ballantyne [mailto:[EMAIL PROTECTED]] Sent: Friday, June 28, 2002 10:19 AM To: 'Paul Van Gurp'; '[EMAIL PROTECTED]'; rajesh vasudevan Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Is it worth keeping Http Shell signature in network sensors? TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- I have to agree with all of the comments listed below. Even after trying several attempts at fine tuning both events, I have a 95%-99% false positive rate on both signatures. Even after several upgrades and XPU's I haven't seen any improvement. -----Original Message----- From: Paul Van Gurp [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 6:26 AM To: '[EMAIL PROTECTED]'; rajesh vasudevan Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Is it worth keeping Http Shell signature in network sensors? TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- I also agree. The HTTP_Shells and Cisco alert referred to below should be tuned or removed as they are false 99.99% of the time in my environment. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 1:42 PM To: rajesh vasudevan Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Is it worth keeping Http Shell signature in network sensors? TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- We've seen almost completely false positives here as well, especially related to Yahoo! (evidently some of their graphics files have a directory called "sh" in the path), and the Java problem is even more egregious. We have similar problems with the HTTP_Cisco_Catalyst_Exec signature and Amazon.com, since the signature triggers on any URL where the object starts with "/exec". Both of these signatures are overly broad IMO and should be tightened to reduce the false positive rate. "rajesh vasudevan" <rajeshvasudevan@h To: [EMAIL PROTECTED] otmail.com> cc: Sent by: Subject: Is it worth keeping Http Shell signature in network sensors? owner-issforum@iss .net 06/25/2002 02:13 AM TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi, This is about HTTP_SHELL signature, which I feel not doing its function. This signature is capturing the traffic with URLs which contains "sh" or "java". Real secure gives an explanation to the event that this signature detects an attempt to get shells to execute commands. But if the signature detects any URL with entries like "/docs/api/java/util/Date.html" as an attempt to invoke Shell interpreter, then it raises a serious concern about the reliability of that signature. So far I couldn't find a single attempt related to this event which seems to be a genuine one. I had gone through the mailing list archives also, I could see the same queries were raised before.. But nobody ( even ISS Support) could give a clear explanation about this or any modification on this signature. I request you to give your feedbacks / experience on this signature, so that if this signature proves to be useless, then I need to remove it from the policy file and hence I can save a good amount of hard disk space !!! Cheers Rajesh _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
