cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
582
Views
0
Helpful
5
Replies

false positive for sig 5551

matt_Travis
Level 1
Level 1

Hi,

Can you look at what I believe to be a false positive for sig 5551

Thanks,

evIdsAlert: eventId=1116783457905897506 severity=high vendor=Cisco

originator:

hostId: Vintage01

appName: sensorApp

appInstanceId: 340

time: 2005/11/01 01:06:33 2005/10/31 17:06:33 GMT-08:00

signature: description=Outlook Web Access Cross Site Scripting Vulnerability i

d=5551 version=S191

subsigId: 0

sigDetails: Outlook Web Access Cross Site Scripting Vulnerability

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=OUT <address removed>

port: 80

target:

addr: locality=DMZ1 <address removed>

port: 3735

context:

fromAttacker:

000000 65 63 68 6E 69 63 69 61 6E 73 20 28 45 4D 54 73 echnicians (EMTs

000010 29 20 61 6E 64 20 70 61 72 61 6D 65 64 69 63 73 ) and paramedics

000020 2E 0D 0A 3C 62 72 3E 3C 62 72 3E 0D 0A 3C 41 20 ...<br><br>..<A

000030 48 52 45 46 3D 22 68 74 74 70 3A 2F 2F 61 64 2E HREF="http://ad.

000040 6E 32 34 33 34 2E 64 6F 75 62 6C 65 63 6C 69 63 n2434.doubleclic

000050 6B 2E 6E 65 74 2F 6A 75 6D 70 2F 4E 32 34 33 34 k.net/jump/N2434

000060 2E 6D 69 6C 69 74 61 72 79 61 64 76 61 6E 74 61 .militaryadvanta

000070 67 65 2F 42 31 35 34 37 30 38 30 2E 35 3B 73 7A ge/B1547080.5;sz

000080 3D 31 78 31 3B 6F 72 64 3D 26 23 39 31 3B 74 69 =1x1;ord=[ti

000090 6D 65 73 74 61 6D 70 26 23 39 33 3B 3F 22 3E 0D mestamp]?">.

0000A0 0A 3C 49 4D 47 20 53 52 43 3D 22 68 74 74 70 3A .<IMG SRC="http:

0000B0 2F 2F 61 64 2E 6E 32 34 33 34 2E 64 6F 75 62 6C //ad.n2434.doubl

0000C0 65 63 6C 69 63 6B 2E 6E 65 74 2F 61 64 2F 4E 32 eclick.net/ad/N2

0000D0 34 33 34 2E 6D 69 6C 69 74 61 72 79 61 64 76 61 434.militaryadva

0000E0 6E 74 61 67 65 2F 42 31 35 34 37 30 38 30 2E 35 ntage/B1547080.5

0000F0 3B 73 7A 3D 31 78 31 3B 6F 72 64 3D 26 23 39 31 ;sz=1x1;ord=&#91

riskRatingValue: 75

interface: fe1_0

protocol: tcp

5 Replies 5

jlimbo
Level 1
Level 1

Hi Matt,

Its not clear to me why that signature fired from the output. Would you be able to get a pcap of the traffic that triggered this signature so I can have a look at this issue more closely?

I am a signature developer and you can e-mail the pcap to me at jlimbo@cisco.com.

Thanks,

jonathan

Jonathan,

I know it's almost a year latter, but I found your thread on the forum. I'm also having false positives when certain users read html email in outlook.

Below is a decoded alarm context dump from the Cisco IPS Event Viewer:---

Decoded Alarm Context (Signature Name='Outlook Web Access Cross Site Scripting Vulnerability'

Event ID='1146513642595857829' Device Name='XXXXXXX' Event UTC Time='1154982879478139000'):

From attacker:

//www.macromedia.com/go/getflashplayer" />

http://ad.doubleclick.net/jump/N1841.ziffdavis.c/B1764282.13;sz=1x1;ord=[timestamp];?">

http://ad.doubleclick.net/ad/N1841.ziffdavis.c/B1764282.13;sz=1x1;ord=[

Since the user was reading email from E-Week in Outlook I'm pretty sure it's a false positive.

What to you think?

Thanks for bringing this back to my attention, it looks like a false positive however I am not able to find the cause of the benign trigger as I need more information. Would you be able to get a pcap which contains the entire http stream for this please?

Thanks,

Jonathan

No problem Jonathan --

You just need to tell me what a pcap is (packet capture?) is and how to get one. I do know how to turn on logging and read logs in ethereal. I'll get that going now. Are they the same idea?

That is exactly what I mean. PCAP is a packet capture. So if you could use ethereal to capture the offending http session that would greatly help.

Review Cisco Networking for a $25 gift card