11-12-2006 09:19 PM - edited 03-10-2019 03:19 AM
dear all,
when i update my signature IPS to S258, i get a lot of "cisco VPN 3000 concentrator HTTP attack vulnerability" with high severity from my event viewer dashboard, is it true or false positive because we dont implement cisco vpn concentrator
11-12-2006 10:33 PM
Would you be able to provide the alert information by setting the action to "produce verbose alert" and sending that over so I can put some context to what is causing the false positive?
If you do not have a VPN 3000 begin with, this signature may not be of interest to you so it may be advisable to disable the signature for your environment.
Thanks,
Jonathan Limbo
11-20-2006 08:51 PM
Dear Mr.Limbo here is my alert information :
evIdsAlert: eventId=1143147272506300416 severity=high vendor=Cisco
originator:
hostId: xxx-CIPS1
appName: sensorApp
appInstanceId: 333
time: 2006/11/21 05:17:35 2006/11/21 12:17:35 GMT+07:00
signature: description=Cisco VPN 3000 Concentrator HTTP Attack Vulnerability
d=5727 version=S258
subsigId: 0
sigDetails: Cisco VPN 3000 Concentrator HTTP Attack Vulnerability
interfaceGroup:
vlan: 0
participants:
attacker:
addr: locality=OUT 10.10.x.xx
port: 1532
target:
addr: locality=OUT 10.10.x.xx
port: 8080
triggerPacket:
000000 00 0E 0C 5C 76 2A 00 10 C6 E2 6A C2 08 00 45 00 ...\v*....j...E.
000010 00 B1 BF 41 40 00 80 06 23 AE 0A 0A 02 46 0A 0A ...A@...#....F..
000020 00 FE 05 FC 1F 90 52 F4 D7 BB DA 78 0B CF 50 18 ......R....x..P.
000030 FF FF 4B 46 00 00 05 01 43 4F 4E 4E 45 43 54 20 ..KF....CONNECT
000040 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 3A 34 www.google.com:4
000050 34 33 20 48 54 54 50 2F 31 2E 30 0D 0A 55 73 65 43 HTTP/1.0..Use
000060 72 2D 41 67 65 6E 74 3A 20 47 6F 6F 67 6C 65 20 r-Agent: Google
000070 54 61 6C 6B 0D 0A 48 6F 73 74 3A 20 77 77 77 2E Talk..Host: www.
000080 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 43 6F 6E 74 google.com..Cont
000090 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 50 ent-Length: 0..P
0000A0 72 6F 78 79 2D 43 6F 6E 6E 65 63 74 69 6F 6E 3A roxy-Connection:
0000B0 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A Keep-Alive....
riskRatingValue: 85
interface: ge0_0
protocol: tcp
11-21-2006 12:59 AM
Thanks for the information.
It looks like a false positive due to some traffic to www.google.com it got cut off after the http header termination. I will look into this to update the benign triggers field.
-jonathan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide