Forum Discussion

abdul_gafoor_31's avatar
abdul_gafoor_31
Icon for Nimbostratus rankNimbostratus
Feb 20, 2019

How to manage command execution violations on Parameters where free text is allowed.

I would like to know the best practice to deal with ‘command execution’ violations on Parameters where free text is allowed. I understand we can disable those attack signature on specific parameters. Actually the number of cases are increased after the upgrade from version 12.1.2 to 13.1.1.3. I am not sure if there any enhancement in these signature in version 13.x The issue happens when customers type top, cc, date etc. in the 'Remarks' field.

 

Can somebody advise if there is any other way I can address this issue other than disabling signature?

 

  • Hi Abdul,

     

    There isn't much you can do. I've seen it a lot exactly as you're describing, and the best you can do is disable signatures for those parameters. If you know the systems involved, and for example its windows, you could disable a lot of the UNIX ones such as cat, etc. but it's not a great solution and would be pretty tedious. You end up adding that parameter and then disabling attack signatures since it will get hit pretty often. If you're in blocking, you could put the parameter in staging so at least you won't get a ton of blocks while you clean it up.

     

  • Hi Abdul,

     

    There isn't much you can do. I've seen it a lot exactly as you're describing, and the best you can do is disable signatures for those parameters. If you know the systems involved, and for example its windows, you could disable a lot of the UNIX ones such as cat, etc. but it's not a great solution and would be pretty tedious. You end up adding that parameter and then disabling attack signatures since it will get hit pretty often. If you're in blocking, you could put the parameter in staging so at least you won't get a ton of blocks while you clean it up.