Anyone else notice IPS Signature 1548/0 firing frequently?

JonPBerbee · ‎11-12-2012

Hello.

We have seen IPS Signature 1548/0-"Microsoft Offic Picture Managed Memory Corruption" trigger frequently on image files downloaded from IP addresses associated with Microsoft, in the range of 207.46.0.0/16. This has happened for several different customers we manage and I'm wondering if anyone else has seen this new signature fire frequently.

It looks to me that this signature has not been tuned correctly by Cisco because in every case the "Source" IP in the alert was from Microsoft. Just wondering if anyone else has seen this too.

Jon.

ruppala · ‎11-12-2012

Jon,

The IPS Signature team is researching into this issue and will update you as soon as we have more information.

-Roopesh

wgorman · ‎11-12-2012

yes, as soon as this signature was released by Cisco we have been seeing Microsoft (65.54.0.0/16) as the source of this activity.

-will

JonPBerbee · ‎11-13-2012

Yeah, we just had some fire in the 65.54.0.0/16 range in addition to the 207.46.0.0/16 range.

Thanks Roopesh for bringing this to the signature team for review, let us know what you find out.

ruppala · ‎11-13-2012

The signature will be disabled and retired in an upcoming signature update. The new signature will have an updated benign triggers section to reflect that this sig may trigger on potentially benign traffic. In the meanwhile , please feel free to disable and retire this signature. Let me know if you have any additional questions.

JonPBerbee · ‎11-15-2012

Thanks for the update Roopesh. We ended up just filting this out in the MARS appliances when the source addresses belonged to Microsoft.