Also forgot to mention that we saw upwards of 14 thousand hits on this signature in under an hour from about 8 sensors. We couldn't disable it fast enough...

No crashes - yet. Our load is low on our 4240. If I do crash, I'll post it.

No crashes yet. But we did have a problem with a number of sensors after they received S255. It looks like the default signature set is getting too big - I now have to tune and disable a number of signatures just so the hardware can cope.

Several of our sensors hung during the S256 upgrade too. Actually we aborted the update due to it.

Last line in /usr/cids/idsRoot/var/updates/logs/install.log was:

Sending signature edc.

Same for you?

Sent you several in offline email.

Did Cisco ever figure this out? At least in our case, it seems to be caused by binary data in a HTTP POST. See attached for a snippet (sorry, that's all I feel comfortable giving).

99% of the false positives I saw were from yahoo messengar notifications.

I would just do what we did; disable it across the board since it is obviously bogus.

Got alerts from CSM stating that "the sensor reports that it is running low on resources." Measure of resource utilization on the virtual sensor was 22. After disabling 5170 it's down to 0.

I just picked the last in this thread to respond too. 5170-1 is very much like 5171-0, it's looking for the exact same thing except in the arguments instead of the URI. We are still working with the engine developers, but you can turn the sig off until the new version is released, or edit the signature and set de-obfuscate to "false". The change to the signature in the upcoming release will be the deobfuscation change. Even with the change, this signature will still fire on BitTorrent traffic, as it normally has nulls embedded in the arguments, however in this case it would be a benign trigger and not a false positive since the signature only looks for the embedded null, and that occurs "naturally" in BitTorrent traffic.