11-04-2010 02:32 PM - edited 03-10-2019 05:10 AM
Seeing this signature firing quite a bit in the past hour. Intially started seeing activity from ASIAPAC and Europe, Now seeing activity from the US.
Told our IPS to drop packets but not alert.
Anyone else seeing this signature fire ?
Ron
11-09-2010 07:25 AM
We are aware of potential issues with signature 31359/0 that can cause it to fire on legitimate traffic.
A bug has been filed and our signature develpment team is working on a solution.
For more info, see http://tools.cisco.com/squish/41f5E
For now, as a workaround, you may want to disable the signature or create an Event Action Filter to remove any actions applied for particular source/destination pairs.
I will update you as soon as new informatoin if available.
Let me know if you have any furhter questions, alternatively you can open a case with TAC.
Stijn
11-09-2010 03:20 PM
Ron, and anyone else who reported the issue,
In order for us to further determine what exactly is causing this signature to fire for your traffic, can you please provide me packet capture (pcap file) of the traffic on which the signature is firing on ?
Please email me the pcaps: svanveer@cisco.com
Thanks in advance !
Stijn
11-12-2010 10:38 AM
I understand from the latest Cisco IPS Threat Defense Bulletin for Release S530 that 31359.0 is now classified as a retired signature.
Would another signature be coming out in response to this vulnerability, or might sloppy internet website coding be too common that blocking this pattern by default be to invasive, or something else?
Thanks.
01-24-2011 11:32 AM
We're seeing this same thing happen on the new 31359/1 signature.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide