02-11-2015 08:02 AM - edited 03-10-2019 06:19 AM
Im seeing a lot of events in the IPS for Sig ID 5009, this Sig was just came out on R851.
Is anyone seeing this as well, Im very certain they are false positives, they trigger every time users visit certain websites, Ex for one of them is www.metalsusa.com.
Below is a capture for one event:
02-11-2015 12:03 PM
I am seeing a lot of events as well. I haven't verified FP yet, but that is what I'm leaning towards.
02-12-2015 08:05 AM
We are also seeing this trigger frequently across a couple of our customer's sensors. I was wondering if the signature is a bit too sensitive.
02-12-2015 08:13 AM
Same here with a ton of false positives. However, the issue I was seeing is the signature is enabled and blocking...but the signature was set to just alert. Anyone else see it blocking even thou it shouldn't have been?
02-12-2015 08:26 AM
By default it's only set to Alert, I changed the action to Deny Inline connection at the beginning suspecting it was something serious. What i've noticed is that by setting the action to Deny, the websites that trigger this alert take a long time to load. I have left it like that just in case.
02-12-2015 08:24 AM
Since the signature was released it has dominated all events. I also believe it is a false positive.
Will someone from Cisco please chime in?
Thanks.
Mike
02-12-2015 08:57 AM
We started getting the alerts at 7:24AM EST and mid-afternoon we set it to deny. This morning numerous reports started coming in and I was asked to investigate. It didn't take long to determine that it was the sig we set to deny yesterday.
Set it to verbose logging and alert only and everyone is working again. Unfortunately it is swamping everything else.
02-12-2015 11:55 AM
It looks like this signature is set to be retired in the package released today.
02-12-2015 12:49 PM
Cisco will be retiring 5009.0 on S852.
http://tools.cisco.com/security/center/viewBulletin.x?bId=668&year=2015&vs_f=Cisco%20IPS%20Threat%20Defense%20Bulletins&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IPS%20Threat%20Defense%20Bulletins:12-FEB-2015&vs_k=1#RETIRED
Good to know :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide