Re: signature 5692 False Positive?

cjbogaards · ‎02-22-2006

Are there any known false positives for this signature?

evIdsAlert: eventId=1135904534516778471 vendor=Cisco severity=high

originator:

hostId: 27-fw-dmz-c1

appName: sensorApp

appInstanceId: 346

time: February 22, 2006 12:51:20 PM UTC offset=-360 timeZone=GMT-06:00

signature: description=Macromedia Flash Overflow id=5692 version=S200

subsigId: 0

sigDetails: Macromedia Flash Overflow

interfaceGroup:

vlan: 0

participants:

attacker:

addr: 209.152.119.251 locality=ANY

port: 80

target:

addr: 206.195.195.108 locality=NETCACHE_EXT_IP

port: 63921

context:

fromAttacker:

000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

000070 00 00 00 00 00 00 00 00 00 FF D8 FF DB 00 C5 00 ................

000080 0B 07 08 09 08 07 0B 09 09 09 0C 0B 0B 0D 10 1A ................

000090 11 10 0F 0F 10 20 17 18 13 1A 26 22 28 28 26 22 ..... ....&"((&"

0000A0 25 24 2A 30 3D 33 2A 2D 39 2E 24 25 35 48 35 39 %$*0=3*-9.$%5H59

0000B0 3F 41 44 45 44 29 33 4B 50 4A 42 4F 3D 43 44 41 ?ADED)3KPJBO=CDA

0000C0 01 0B 0C 0C 10 0E 10 1F 11 11 1F 41 2C 25 2C 41 ...........A,%,A

0000D0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

0000E0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

0000F0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

Jeffrey Bollinger · ‎02-23-2006

According to the MySDN site, there are "no known benign triggers":

http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=5692&signatureSubId=0

normalit · ‎03-08-2006

I am getting quite a few false positives as well. My external webserver hosts up a flash file on one of our sites. Whenever someone requests that page, and the webserver serves up the .swf file, this signature fires.

I've been trying to figure out what is causing it to fire, myself, and am not getting anywhere.

fromAttacker:

000000 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................

000010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................

000020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................

000030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................

000040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................

000050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................

000060 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................

000070 FF FF FF FF FF FF FF FF FF FF D8 FF DB 00 C5 00 ................