cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
620
Views
0
Helpful
1
Replies

IPS Tuning - Example Windows SMTP Overflow 5561

rmeans
Level 3
Level 3

I have recently deployed a couple of IPS sensors. The sensor alarmed on sig 5561/0 (Windows SMTP Overflow).

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5561&signatureSubId=0&softwareVersion=6.0&releaseVersion=S339

From the link, the signature was updated in June 2008. The CVE is dated 2004 and Microsoft issued patches in 2004. Why is Cisco updating signatures for 4 year old vulnerabilities?

Is this latest release/update for a new vulnerability?

1 Accepted Solution

Accepted Solutions

wsulym
Cisco Employee
Cisco Employee

It was not a new vulnerability. The updated signature released in S339 coincides with the E2 engine release. 5561-0 is a meta-engine signature and the "update" that was done at the S339 release was to explicitly set a "all components required" flag to true.

Any change that changes the signature xml results in a revision/update.

Hope that helps.

View solution in original post

1 Reply 1

wsulym
Cisco Employee
Cisco Employee

It was not a new vulnerability. The updated signature released in S339 coincides with the E2 engine release. 5561-0 is a meta-engine signature and the "update" that was done at the S339 release was to explicitly set a "all components required" flag to true.

Any change that changes the signature xml results in a revision/update.

Hope that helps.

Review Cisco Networking for a $25 gift card