11-01-2005 05:00 AM - edited 03-10-2019 01:43 AM
Hi,
Can you look at what I believe to be a false positive for sig 5551
Thanks,
evIdsAlert: eventId=1116783457905897506 severity=high vendor=Cisco
originator:
hostId: Vintage01
appName: sensorApp
appInstanceId: 340
time: 2005/11/01 01:06:33 2005/10/31 17:06:33 GMT-08:00
signature: description=Outlook Web Access Cross Site Scripting Vulnerability i
d=5551 version=S191
subsigId: 0
sigDetails: Outlook Web Access Cross Site Scripting Vulnerability
interfaceGroup:
vlan: 0
participants:
attacker:
addr: locality=OUT <address removed>
port: 80
target:
addr: locality=DMZ1 <address removed>
port: 3735
context:
fromAttacker:
000000 65 63 68 6E 69 63 69 61 6E 73 20 28 45 4D 54 73 echnicians (EMTs
000010 29 20 61 6E 64 20 70 61 72 61 6D 65 64 69 63 73 ) and paramedics
000020 2E 0D 0A 3C 62 72 3E 3C 62 72 3E 0D 0A 3C 41 20 ...<br><br>..<A
000030 48 52 45 46 3D 22 68 74 74 70 3A 2F 2F 61 64 2E HREF="http://ad.
000040 6E 32 34 33 34 2E 64 6F 75 62 6C 65 63 6C 69 63 n2434.doubleclic
000050 6B 2E 6E 65 74 2F 6A 75 6D 70 2F 4E 32 34 33 34 k.net/jump/N2434
000060 2E 6D 69 6C 69 74 61 72 79 61 64 76 61 6E 74 61 .militaryadvanta
000070 67 65 2F 42 31 35 34 37 30 38 30 2E 35 3B 73 7A ge/B1547080.5;sz
000080 3D 31 78 31 3B 6F 72 64 3D 26 23 39 31 3B 74 69 =1x1;ord=[ti
000090 6D 65 73 74 61 6D 70 26 23 39 33 3B 3F 22 3E 0D mestamp]?">.
0000A0 0A 3C 49 4D 47 20 53 52 43 3D 22 68 74 74 70 3A .<IMG SRC="http:
0000B0 2F 2F 61 64 2E 6E 32 34 33 34 2E 64 6F 75 62 6C //ad.n2434.doubl
0000C0 65 63 6C 69 63 6B 2E 6E 65 74 2F 61 64 2F 4E 32 eclick.net/ad/N2
0000D0 34 33 34 2E 6D 69 6C 69 74 61 72 79 61 64 76 61 434.militaryadva
0000E0 6E 74 61 67 65 2F 42 31 35 34 37 30 38 30 2E 35 ntage/B1547080.5
0000F0 3B 73 7A 3D 31 78 31 3B 6F 72 64 3D 26 23 39 31 ;sz=1x1;ord=[
riskRatingValue: 75
interface: fe1_0
protocol: tcp
11-01-2005 10:06 PM
Hi Matt,
Its not clear to me why that signature fired from the output. Would you be able to get a pcap of the traffic that triggered this signature so I can have a look at this issue more closely?
I am a signature developer and you can e-mail the pcap to me at jlimbo@cisco.com.
Thanks,
jonathan
08-07-2006 01:07 PM
Jonathan,
I know it's almost a year latter, but I found your thread on the forum. I'm also having false positives when certain users read html email in outlook.
Below is a decoded alarm context dump from the Cisco IPS Event Viewer:---
Decoded Alarm Context (Signature Name='Outlook Web Access Cross Site Scripting Vulnerability'
Event ID='1146513642595857829' Device Name='XXXXXXX' Event UTC Time='1154982879478139000'):
From attacker:
//www.macromedia.com/go/getflashplayer" />
Since the user was reading email from E-Week in Outlook I'm pretty sure it's a false positive.
What to you think?
08-07-2006 06:06 PM
Thanks for bringing this back to my attention, it looks like a false positive however I am not able to find the cause of the benign trigger as I need more information. Would you be able to get a pcap which contains the entire http stream for this please?
Thanks,
Jonathan
08-08-2006 04:34 AM
No problem Jonathan --
You just need to tell me what a pcap is (packet capture?) is and how to get one. I do know how to turn on logging and read logs in ethereal. I'll get that going now. Are they the same idea?
08-09-2006 08:12 PM
That is exactly what I mean. PCAP is a packet capture. So if you could use ethereal to capture the offending http session that would greatly help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide