cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2509
Views
0
Helpful
18
Replies
Ronald Nutter
Beginner

Activity on Signature 31359

Seeing this signature firing quite a bit in the past hour.  Intially started seeing activity from ASIAPAC and Europe, Now seeing activity from the US.

Told our IPS to drop packets but not alert.

Anyone else seeing this signature fire ?

Ron

18 REPLIES 18

We are aware of potential issues with signature 31359/0 that can cause it to fire on legitimate traffic.

A bug has been filed and our signature develpment team is working on a solution.

For more info, see http://tools.cisco.com/squish/41f5E

For now, as a workaround, you may want to disable the signature or create an Event Action Filter to remove any actions applied for particular source/destination pairs.

I will update you as soon as new informatoin if available.

Let me know if you have any furhter questions, alternatively you can open a case with TAC.

Stijn

Ron, and anyone else who reported the issue,

In order for us to  further determine what exactly is causing this signature to fire for  your traffic, can you please provide me packet capture (pcap file) of the traffic on which the signature is firing on ?

Please email me the pcaps: svanveer@cisco.com

Thanks in advance !

Stijn

I understand from the latest Cisco IPS Threat Defense Bulletin for Release S530 that 31359.0 is now classified as a retired signature.

Would another signature be coming out in response to this vulnerability, or might sloppy internet website coding be too common that blocking this pattern by default be to invasive, or something else?

Thanks.

We're seeing this same thing happen on the new 31359/1 signature.