cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Strange triggering signature

I have a triggered signature that I do not understand: 

It triggered on the Response! Not the attack.

What is HID1: etc.? the tokens were in the source packet - it did not trigger there. Why not? 

Can someone explain to me what is being shown by the NSM?

this is the Layer 7 Data:

HTTP URI: /Login.aspx?ReturnUrl='+ (select convert(int, cast(0x5f21403264696c656d6d61 as varchar(8000))) from syscolumns) +'
HTTP Return Code: 200
HTTP User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
HTTP Server Type: Microsoft-IIS/10.0
HTTP Host: xxxxxxxxxxxxxxxxxxxxxx
HTTP Response Content Type: text/html; charset=utf-8
Expires: -1
HID1: convert\x28
HID2: cast\x28
HID3: 5375
HID4: select(\x20|\x2b)
HID5: from

Signature  From Details:
Matched Blacklisted Tokens
HID1: convert\x28
HID2: cast\x28
HID3: 5375
HID4: select(\x20|\x2b)
HID5: from

PCAP:

GET /Login.aspx?ReturnUrl='+ (select convert(int, cast(0x5f21403264696c656d6d61 as varchar(8000))) from syscolumns) +'HTTP/1.1 
Referer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Netsparker Enterprise
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=xxxxxxxxxxx; eRxNowDELUXE=; _gat=1; _ga=xxxxxxxxxxx; _gid=xxxxxxxxxx
Host: xxxxxxxxxxxxxxxxxxxxxxxxx
Accept-Encoding: gzip, deflate
X-Forwarded-For: xxxxxxxxxxxx

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Strange triggering signature

Hi @ihoratos 

There are many signatures where HTTP response is required to be enabled to capture layer 7 information. It is not necessary all the detection is done for request packet. 

 

The signature triggered because following tokens matched:

1. convert\x28 - convert(

['(' is denoted as \x28 as per ASCII chart]

2. cast\x28 - cast(

3. select(\x20|\x2b) - select  (select + blank space)

[\x20 is used for blank space. \x2b is used for + symbol. Condition looks for either space or +]

 

I hope this answer your question.

 

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Highlighted

Re: Strange triggering signature

Thank you sir, but I knew that. My question was why wait until the response - those tokens were in the request. And what does HIDn: mean???

 

TIA

Highlighted

Re: Strange triggering signature

No, it does not answer the question.
I knew that. My question was why wait until the response - those tokens were in the request. And what does HIDn: mean???
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community