Seeing this signature firing quite a bit in the past hour. Intially started seeing activity from ASIAPAC and Europe, Now seeing activity from the US.
Told our IPS to drop packets but not alert.
Anyone else seeing this signature fire ?
We are aware of potential issues with signature 31359/0 that can cause it to fire on legitimate traffic.
A bug has been filed and our signature develpment team is working on a solution.
For more info, see http://tools.cisco.com/squish/41f5E
For now, as a workaround, you may want to disable the signature or create an Event Action Filter to remove any actions applied for particular source/destination pairs.
I will update you as soon as new informatoin if available.
Let me know if you have any furhter questions, alternatively you can open a case with TAC.
Ron, and anyone else who reported the issue,
In order for us to further determine what exactly is causing this signature to fire for your traffic, can you please provide me packet capture (pcap file) of the traffic on which the signature is firing on ?
Please email me the pcaps: firstname.lastname@example.org
Thanks in advance !
I understand from the latest Cisco IPS Threat Defense Bulletin for Release S530 that 31359.0 is now classified as a retired signature.
Would another signature be coming out in response to this vulnerability, or might sloppy internet website coding be too common that blocking this pattern by default be to invasive, or something else?