https://community.cisco.com/t5/network-security/5829-0-false-positives/m-p/642230#M87954 <HTML><HEAD></HEAD><BODY><P>We're looking into this issue. Would it be possible to provide a verbose alert for this signature? The signature is designed to detect ssl v3 packets in which the size does not match up with the declared ssl field sizes; I'll need more of the packet to verify the problem.</P></BODY></HTML> Fri, 22 Dec 2006 17:58:40 GMT craiwill 2006-12-22T17:58:40Z https://community.cisco.com/t5/network-security/5829-0-false-positives/m-p/642229#M87952 <P>Outbound Internet traffic through our HTTP proxy is triggering this sig. below is a trigger packet. We've seen about 50 of these in the last 2 hours.</P><P></P><P>evIdsAlert: eventId=1152199463829252123 vendor=Cisco severity=medium </P><P> originator: </P><P> hostId: hostname </P><P> appName: sensorApp </P><P> appInstanceId: 20616 </P><P> time: December 22, 2006 3:32:53 PM UTC offset=-360 timeZone=GMT-06:00 </P><P> signature: description=Microsoft SSL DoS id=5829 version=S263 </P><P> subsigId: 0 </P><P> sigDetails: Microsoft SSL DoS </P><P> interfaceGroup: </P><P> vlan: 0 </P><P> participants: </P><P> attacker: </P><P> addr: 192.168.1.1 locality=PROXY_EXT_IP </P><P> port: 50439 </P><P> target: </P><P> addr: 208.215.237.156 locality=ANY </P><P> port: 443 </P><P> triggerPacket: </P><P>000000 00 00 5E 00 01 65 00 17 0F 0B 17 00 08 00 45 00 ..^..e........E.</P><P>000010 00 71 83 92 40 00 3F 06 67 55 CE C3 C3 67 D0 D7 .q..@.?.gU...g..</P><P>000020 ED 9C C5 07 01 BB 51 7F 93 2C 30 66 D8 1D 80 18 ......Q..,0f....</P><P>000030 44 70 68 88 00 00 01 01 08 0A 45 10 90 67 1F 48 Dph.......E..g.H</P><P>000040 C5 13 16 03 00 00 38 01 9D CB 06 99 C9 F4 94 F9 ......8.........</P><P>000050 ED 54 42 F3 19 73 FC F8 BA F1 A5 0B B1 AD 02 C6 .TB..s..........</P><P>000060 F4 FD AF 26 71 66 2B 5B A2 05 97 91 4A 22 CF E9 ...&amp;qf+[....J"..</P><P>000070 78 74 13 AC 2B AB B8 54 C5 4E E0 6C CC 36 E8 xt..+..T.N.l.6.</P><P></P><P> riskRatingValue: 48 </P><P> interface: ge0_0 </P><P> protocol: tcp </P><P></P> Sun, 10 Mar 2019 10:23:42 GMT https://community.cisco.com/t5/network-security/5829-0-false-positives/m-p/642229#M87952 mhellman 2019-03-10T10:23:42Z https://community.cisco.com/t5/network-security/5829-0-false-positives/m-p/642230#M87954 <HTML><HEAD></HEAD><BODY><P>We're looking into this issue. Would it be possible to provide a verbose alert for this signature? The signature is designed to detect ssl v3 packets in which the size does not match up with the declared ssl field sizes; I'll need more of the packet to verify the problem.</P></BODY></HTML> Fri, 22 Dec 2006 17:58:40 GMT https://community.cisco.com/t5/network-security/5829-0-false-positives/m-p/642230#M87954 craiwill 2006-12-22T17:58:40Z https://community.cisco.com/t5/network-security/5829-0-false-positives/m-p/642231#M87956 <HTML><HEAD></HEAD><BODY><P>We're looking into this issue. Would it be possible to provide a verbose alert for this signature? The signature is designed to detect ssl v3 packets in which the size does not match up with the declared ssl field sizes; I'll need more of the packet to verify the problem.</P></BODY></HTML> Fri, 22 Dec 2006 18:13:13 GMT https://community.cisco.com/t5/network-security/5829-0-false-positives/m-p/642231#M87956 craiwill 2006-12-22T18:13:13Z