Dear Mr.Limbo here is my alert information :

evIdsAlert: eventId=1143147272506300416 severity=high vendor=Cisco

originator:

hostId: xxx-CIPS1

appName: sensorApp

appInstanceId: 333

time: 2006/11/21 05:17:35 2006/11/21 12:17:35 GMT+07:00

signature: description=Cisco VPN 3000 Concentrator HTTP Attack Vulnerability

d=5727 version=S258

subsigId: 0

sigDetails: Cisco VPN 3000 Concentrator HTTP Attack Vulnerability

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=OUT 10.10.x.xx

port: 1532

target:

addr: locality=OUT 10.10.x.xx

port: 8080

triggerPacket:

000000 00 0E 0C 5C 76 2A 00 10 C6 E2 6A C2 08 00 45 00 ...\v*....j...E.

000010 00 B1 BF 41 40 00 80 06 23 AE 0A 0A 02 46 0A 0A ...A@...#....F..

000020 00 FE 05 FC 1F 90 52 F4 D7 BB DA 78 0B CF 50 18 ......R....x..P.

000030 FF FF 4B 46 00 00 05 01 43 4F 4E 4E 45 43 54 20 ..KF....CONNECT

000040 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 3A 34 www.google.com:4

000050 34 33 20 48 54 54 50 2F 31 2E 30 0D 0A 55 73 65 43 HTTP/1.0..Use

000060 72 2D 41 67 65 6E 74 3A 20 47 6F 6F 67 6C 65 20 r-Agent: Google

000070 54 61 6C 6B 0D 0A 48 6F 73 74 3A 20 77 77 77 2E Talk..Host: www.

000080 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 43 6F 6E 74 google.com..Cont

000090 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 50 ent-Length: 0..P

0000A0 72 6F 78 79 2D 43 6F 6E 6E 65 63 74 69 6F 6E 3A roxy-Connection:

0000B0 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A Keep-Alive....

riskRatingValue: 85

interface: ge0_0

protocol: tcp

Thanks for the information.

It looks like a false positive due to some traffic to www.google.com it got cut off after the http header termination. I will look into this to update the benign triggers field.

-jonathan