cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1973
Views
0
Helpful
8
Replies

Anyone having issues with Signature 41846/1?

JonPBerbee
Level 1
Level 1

S625 got applied to one of our IDS sensors this morning and 41846/1 is firing like crazy.  The Attacker IPs are all internal IPs and all over the board, not just one or two different IPs.  Some of the targets are internal and some are external.  Just wondering if anyone else has noticed this in their environment.

8 Replies 8

dmcalbosa88
Level 1
Level 1

Yes, I've noticed a lot of matches of that siganture.

The difference in my case is that Attacker IP always is our web proxy, and targets are in most cases Adobe's sites or sites belonging to ThePlanet.com Internet Services, Inc.

jason.giambrone
Level 1
Level 1

I am seeing it too. Just started yesterday right after a signiture update. I had to disable the sig because it was firing so much. Freaked me out at first. I checked the IPs is was reporting on and none of them were of bad reputation. In my case, we would have internal IPs attempting contact to an external address which varied quite a bit. Wish Cisco would vet these better.

tscislaw_2
Level 1
Level 1

Same here. Legitimate traffic being flagged. I've disabled this sig for now.

CyprusIPS
Level 1
Level 1

Anyone have an update on this??  We are seeing the same thing and it is worse today than yesterday.

It blew up on us.  Packet captures look like it's matching on any(?) aspx.  Disabled/filtered it.  Signature needs to be fixed!

yes, we are looking into this issue. The signature will be updated asap.

deeznuts420
Level 1
Level 1

Yep, same issue over here.  Thanks to rupadras for noting a fix is in the works. 

As you may have noticed, the signature was updated in S626 released last night.

Review Cisco Networking for a $25 gift card