06-22-2006 08:57 AM - edited 03-10-2019 03:04 AM
Anything thoughts? Are false positives being reviewed for next signature release?
We are seeing alot of activity triggering this signature. The attacking ip is from Microsoft itself so must be a false positive?.... 207.68.179.220 (http://advertising.msn.com/home/home)
Signature version is S232
Attacker Context is :
w.rsac.org/ratingsv01.html" l comment "RSACi North America Server" by "inet@microsoft.com" r (n 0 s 0 v 0 l 0))
Date: Tue, 20 Jun 2006 16:02:42 GMT
PNG
IHDR i*gAMA|Q cHRMR@}y<s<w
5iCCPsRG
Thoughts?
06-22-2006 05:47 PM
I would like to look into this further.
Is it possible to get a traffic sample for this please? In the meantime would you be able to re-paste the entire alert information including the hex output.
Thanks,
Jonathan
06-23-2006 05:57 AM
evIdsAlert: eventId=1135765787750475982 vendor=Cisco severity=high
originator:
hostId: xxxx
appName: sensorApp
appInstanceId: 26432
time: June 22, 2006 10:17:48 PM UTC offset=-420 timeZone=MST
signature: description=Windows Media Player PNG Processing Remote Code Execution id=5774 version=S232
subsigId: 0
sigDetails: Windows Media Player PNG Processing Remote Code Execution
interfaceGroup:
vlan: 0
participants:
attacker:
addr: 207.68.179.220 locality=OUT
port: 80
target:
addr: xxxxxxxx locality=INTERNAL
port: 2177
context:
fromAttacker:
000000 77 2E 72 73 61 63 2E 6F 72 67 2F 72 61 74 69 6E w.rsac.org/ratin
000010 67 73 76 30 31 2E 68 74 6D 6C 22 20 6C 20 63 6F gsv01.html" l co
000020 6D 6D 65 6E 74 20 22 52 53 41 43 69 20 4E 6F 72 mment "RSACi Nor
000030 74 68 20 41 6D 65 72 69 63 61 20 53 65 72 76 65 th America Serve
000040 72 22 20 62 79 20 22 69 6E 65 74 40 6D 69 63 72 r" by "inet@micr
000050 6F 73 6F 66 74 2E 63 6F 6D 22 20 72 20 28 6E 20 osoft.com" r (n
000060 30 20 73 20 30 20 76 20 30 20 6C 20 30 29 29 0D 0 s 0 v 0 l 0)).
000070 0A 44 61 74 65 3A 20 54 68 75 2C 20 32 32 20 4A .Date: Thu, 22 J
000080 75 6E 20 32 30 30 36 20 32 32 3A 32 32 3A 32 36 un 2006 22:22:26
000090 20 47 4D 54 0D 0A 0D 0A 89 50 4E 47 0D 0A 1A 0A GMT.....PNG....
0000A0 00 00 00 0D 49 48 44 52 00 00 00 20 00 00 00 2D ....IHDR... ...-
0000B0 08 06 00 00 00 CF E4 69 2A 00 00 00 04 67 41 4D .......i*....gAM
0000C0 41 00 00 B1 8E 7C FB 51 93 00 00 00 20 63 48 52 A....|.Q.... cHR
0000D0 4D 00 00 87 0F 00 00 8C 0F 00 00 FD 52 00 00 81 M...........R...
0000E0 40 00 00 7D 79 00 00 E9 8B 00 00 3C E5 00 00 19 @..}y......<....
0000F0 CC 73 3C 85 77 00 00 0A 35 69 43 43 50 73 52 47 .s<.w...5iCCPsRG
riskRatingValue: 70
interface: fe1_0
protocol: tcp
06-26-2006 06:38 AM
we also were getting the WMF exploit signatures triggering from MSFT. We were gonna tune em out,
06-29-2006 04:39 AM
I am also getting the trigger from Microsoft. I don't have anything additional to add. I just wanted to be able to receive a notification when this post receives replies.
Could someone let me know if there is a way to enable notifications for a post without submitting a message to it?
Thank you,
Mark
06-29-2006 05:55 AM
Click the Subscribe link.
06-29-2006 06:46 AM
I know, god forbid cisco or any other major vendor that provides an attempt at support forums uses an already established and used on a daily basis by millions worldwide "standard" of Vbulletin whcih costs all of a couple hundred dollars instead of reinventing the wheel and making users hunt for buttons they know *should* exist and request features that are incredulously "not added yet" all the while mucking their way through the slower and more cumbersome interface.
[/rant]
06-29-2006 06:01 PM
Apologies for the delayed response.
I had a look the show event information and although it looks like a png file, the format is incorrect as per defined by the w3.org open standard.
Records are nested with: iCCPsRG
In these situations where the defined format is not followed, it will cause a false positive.
Thanks,
Jonathan
07-04-2006 03:51 AM
I'm sure you can tighten up this signature. Having 99% false positives is not acceptable and the answer "not following w3.org standards" is .......... .
Maybe you should rename this signature to Suspicious PNG file and make a new signature that works in the reality.
Thanks. ;-)
07-06-2006 09:39 AM
Is anyone using a workaround for this noisy signature?
07-06-2006 05:07 PM
Just to let everyone know, we have been currently investigating the 5774-0 signature in ways we can improve it to reduce the number of false positives.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide