Solved: IPS 5.0 change action causes False Positives

mkirbyii · ‎04-11-2005

Hi,

I have upgraded a 4215 with 4 port running 4.1 to 5.0. The device is not inline, still using a single sniff int. When I add the action (reset) on a sig (5126) or any that relate to IIS and apply the change the sensor starts going crazy picking off all sorts of web traffic as a hit and then resets the stream. Problem is these are False positives... If I then go back to IDM and turn off the "reset" action and only use the default (alarm), the alarms keep coming. If I restart the sensor the alarms stop.

What I do not understand is this signature was enabled before and its default action was to "alarm"... I never recieved any alarms.

As soon as I change the action to alarm and reset all goes crazy??? A sensor restart fixes the issue.

Anyone seeing similar issues?

Thanks in advance

MK

scothrel · ‎04-11-2005

MK

I think you are experiencing a known bug, fixed in the 5.0(2) update just released. It sounds like:

CSCeh36719 False positives after upgrade to IPS 5.0

It affects signatures in the HTTP engine after they have been tuned. Try installing the 5.0(2) service pack located here:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips5

SC

View solution in original post

DSmirnov · ‎04-11-2005

Yep, I saw it few times in our environment.

Once I've added "Shun the Host" action for 5344 and received a few hundreds shuns installed on firewalls just in few minutes..

scothrel · ‎04-11-2005

MK

I think you are experiencing a known bug, fixed in the 5.0(2) update just released. It sounds like:

CSCeh36719 False positives after upgrade to IPS 5.0

It affects signatures in the HTTP engine after they have been tuned. Try installing the 5.0(2) service pack located here:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips5

SC

mkirbyii · ‎04-12-2005

Thank you, just got the bulliten I will give it a shot.

MK

mkirbyii · ‎04-12-2005

I appleid the 5.0 service pack and tested again. Issue resolved. Thank you for the info.

MK