Excellent!

Thanks!

Timing? I just disabled it yesterday to remove the annoyance factor (plus I got an extra-large burst of them this week).

Will have to remember to re-enable it now when S246 rolls out...

Thanks :)

Yes, thank you! I too was seeing a large number of these signatures fired.

Well, I think I'm seeing less of them with S246, but I'm still getting them.

Credit where credit is due, Daniel Fabian of SEC Consult Unternehmensberatung GmbH has his name attached to the public published disclosure of this vulnerability. This is erratic null byte handling by OWA.

If you can turn on verbose alerting for the signature and supply me a few alerts (you can send directly to me at wsulym@cisco.com) I can take another look at it and see if there's anything we can do.

I'm not seeing the traffic you are as I had the new version running for a couple of weeks prior to s246 and not a single trigger.

As much as I hate saying this, there's just not a whole lot to trigger from based on the vulnerability. But, if you aren't running OWA, I would turn this signature off.

I'm not getting alerts now after re-enabling wiht S246. My FP problem appears to have been fixed :-) Thanks!

I spoke too soon. I have 822 alerts this morning :-(

E-mailed you some pcaps.