Anyone else notice IPS Signature 1802/0 firing frequently?

Damien Stevens · ‎01-14-2013

We have seen IPS Signature 1802/0-"Ruby on Rails Remote Code Execution Vulnerability" trigger frequently on any webpage with XML with YAML content I'm wondering if anyone else has seen this new signature fire frequently.

It looks to me that this signature has not been tuned correctly by Cisco. We don't use Ruby on Rails anywhere in our environment, so we went ahead and disabled the signature, I'm just wondering if anyone else has seen this too.

kDonovan9_2 · ‎01-14-2013

Happening to us as well.....we plan on opening up a case with TAC to see what they say.

We aslo noticed it when people hit the website www.aa.com

ben.webb-cw · ‎01-14-2013

We are seeing this firing all over the place as well, especially in environments where ruby is not installed. If anyone gets any feedback from cisco can they please post the reponse on here?

WylehouAdmins · ‎01-14-2013

Logged a TAC case and they are working on an update. You are correct this is a signature issue. No time table given. Since the new signature will replace the old one, they recomended we disable the current signature if the alerts were too much.

John Warren · ‎01-14-2013

Have been seeing this happening all day today. never seen it before until today. The s688 update was released on Friday 1/11, so that sorta explains a bit why we are just now seeing it. I'm guessing its probably too sensitive.

ruppala · ‎01-14-2013

The ips signature team is aware of this issue and is actively working towards a resolution. I will update this thread once i have additional information on the update.

ruppala · ‎01-16-2013

We released a higher fidelity version of signature 1802-0 in update S689. If you still see this signature triggering frequently , do let me know.

-Roopesh

IPS Signature Team