01-22-2011 10:43 AM - edited 03-10-2019 05:14 AM
Is anyone else seeing a lot of alerts firing from legit sites for sig 31359/1? I'm receiving them from Yahoo and Akamai as well as a few other sites.
Cory
01-24-2011 11:16 AM
Yeah, we're seeing it fire on legit sites also. Began Friday when our IPS loaded the latest sig file.
01-24-2011 11:24 AM
This same signature was a problem back in November. We ended up disabling it. Looks like the new version has the same problem.
01-25-2011 07:52 AM
Hello Pronet MSSP and tscislaw,
Would you be able to provide a packet capture of the legitimate traffic on which 31359/1 is firing? I will ask our signature team to review the data in the capture and test it against the new sub-signature.
Thank you,
Blayne Dreier
Cisco TAC Escalation Team
**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series
01-25-2011 09:05 AM
Blayne,
Attached is a packet capture from that signature event.
Tony M. Scislaw CISSP
Network Administrator
Kennedy Space Center Federal Credit Union
Merritt Island, Florida
tscislaw@kscfcu.org
www.kscfcu.org
321-456-5422
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.
01-25-2011 06:25 PM
Hi All,
This may be a recursive problem of signature 31359/0. TAC is still investigating the problem. We are analyzing the info of singular cases, captures and others.
Cheers.
Mike
01-27-2011 07:01 AM
I have been out of the office all week and just wanted to say thank you for posting the packet capture.
Cory
01-27-2011 07:35 AM
Hello all,
We now have a bug filed for this issue. The bug id is CSCtl90408 and it is available via the CCO Bug Toolkit: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs.
You may review the bug and click on the "Save Bug" button at the bottom of the page to receive email updates as changes are made to the bug's state.
I'll update this thread if we make any milestone progress prior to resolving the issue.
Thank you,
Blayne Dreier
Cisco TAC Escalation Team
**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series
01-27-2011 10:13 AM
That bug ID isn't showing up in the Toolkit.
01-27-2011 02:07 PM
Hello tscislaw,
It will soon. The bug was written this morning and still has to go through review. You should see it in the next day or so.
Thank you,
Blayne Dreier
Cisco TAC Escalation Team
**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide