It looks like this signature

leandro10 · ‎02-11-2015

Im seeing a lot of events in the IPS for Sig ID 5009, this Sig was just came out on R851.

Is anyone seeing this as well, Im very certain they are false positives, they trigger every time users visit certain websites, Ex for one of them is www.metalsusa.com.

Below is a capture for one event:

Context Data From attacker: ((Outside IP)

Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2015-02-11 10:57:45.006 ----

Ether:

Ether: dst = 20:49:6e:xx.xx.xx

Ether: src = 74:72:79:xx:xx:xx

Ether: proto = 0x656e

Ether:

Data: 0000 64 73 22 20 2f 3e 3c 6c 69 6e 6b 20 68 72 65 66 ds" /><link href

Data: 0010 3d 22 2f 73 74 79 6c 65 2f 6d 61 73 74 65 72 2e ="/style/master.

Data: 0020 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 css" rel="styles

Data: 0030 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 heet" type="text

Data: 0040 2f 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 68 72 /css" /><link hr

Data: 0050 65 66 3d 22 2f 73 74 79 6c 65 2f 73 65 61 72 63 ef="/style/searc

Data: 0060 68 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c h.css" rel="styl

Data: 0070 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 esheet" type="te

Data: 0080 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 20 20 20 20 xt/css" />..

Data: 0090 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 <style type="tex

Data: 00a0 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 t/css">..

Data: 00b0 20 2e 73 74 61 72 74 73 65 61 72 63 68 6f 75 74 .startsearchout

Data: 00c0 65 72 62 6f 78 0d 0a 20 20 20 20 20 20 20 20 7b erbox.. {

Data: 00d0 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 .. ba

Data: 00e0 63 6b 67 72 6f 75 6e 64 3a 20 23 38 44 38 44 38 ckground: #8D8D8

Data: 00f0 44 3b D;

Data:

From victim: ((Internal IP)

Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2015-02-11 10:57:45.006 ----

Ether:

Ether: dst = 69:64:3d:xx:xx:xx

Ether: src = 63:69:64:xx:xx:xx

Ether: proto = 0x2663

Ether:

Data: 0000 69 64 3d 2d 31 3b 20 41 53 50 2e 4e 45 54 5f 53 id=-1; ASP.NET_S

Data: 0010 65 73 73 69 6f 6e 49 64 3d 64 79 71 75 61 61 7a essionId=dyquaaz

Data: 0020 31 62 34 34 6b 73 31 73 73 30 6d 6b 6e 62 71 6d 1b44ks1ss0mknbqm

Data: 0030 30 3b 20 41 57 53 45 4c 42 3d 35 44 35 33 38 35 0; AWSELB=5D5385

Data: 0040 35 31 31 36 36 34 34 43 37 33 36 41 44 35 35 34 5116644C736AD554

Data: 0050 32 46 43 34 44 36 45 42 42 44 31 30 30 45 36 36 2FC4D6EBBD100E66

Data: 0060 41 33 41 37 39 46 35 41 44 30 41 30 31 37 36 36 A3A79F5AD0A01766

Data: 0070 46 42 33 43 32 41 37 39 45 33 42 43 32 32 41 33 FB3C2A79E3BC22A3

Data: 0080 46 31 45 42 38 30 41 45 39 35 35 32 35 32 30 46 F1EB80AE9552520F

Data: 0090 44 43 36 41 42 31 43 36 46 46 36 39 33 37 45 43 DC6AB1C6FF6937EC

Data: 00a0 41 46 43 44 43 34 37 35 44 30 46 46 34 30 38 35 AFCDC475D0FF4085

Data: 00b0 39 37 38 46 33 46 39 36 35 30 32 42 32 35 46 30 978F3F96502B25F0

Data: 00c0 34 36 39 44 0d 0a 56 69 61 3a 20 31 2e 31 20 6c 469D..Via: 1.1 l

Data: 00d0 6f 63 61 6c 68 6f 73 74 2e 6c 6f 63 61 6c 64 6f ocalhost.localdo

Data: 00e0 6d 61 69 6e 20 41 43 31 30 31 45 30 35 20 0d 0a main AC101E05 ..

Data: 00f0 0d 0a ..

Data:

billdewey · ‎02-11-2015

I am seeing a lot of events as well. I haven't verified FP yet, but that is what I'm leaning towards.

JonPBerbee · ‎02-12-2015

We are also seeing this trigger frequently across a couple of our customer's sensors. I was wondering if the signature is a bit too sensitive.

Adam Lougee · ‎02-12-2015

Same here with a ton of false positives. However, the issue I was seeing is the signature is enabled and blocking...but the signature was set to just alert. Anyone else see it blocking even thou it shouldn't have been?

leandro10 · ‎02-12-2015

By default it's only set to Alert, I changed the action to Deny Inline connection at the beginning suspecting it was something serious. What i've noticed is that by setting the action to Deny, the websites that trigger this alert take a long time to load. I have left it like that just in case.

mhanson2004 · ‎02-12-2015

Since the signature was released it has dominated all events. I also believe it is a false positive.

Will someone from Cisco please chime in?

Thanks.

Mike

bradlesw1 · ‎02-12-2015

We started getting the alerts at 7:24AM EST and mid-afternoon we set it to deny. This morning numerous reports started coming in and I was asked to investigate. It didn't take long to determine that it was the sig we set to deny yesterday.

Set it to verbose logging and alert only and everyone is working again. Unfortunately it is swamping everything else.

JonPBerbee · ‎02-12-2015

It looks like this signature is set to be retired in the package released today.

leandro10 · ‎02-12-2015

Cisco will be retiring 5009.0 on S852.

http://tools.cisco.com/security/center/viewBulletin.x?bId=668&year=2015&vs_f=Cisco%20IPS%20Threat%20Defense%20Bulletins&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IPS%20Threat%20Defense%20Bulletins:12-FEB-2015&vs_k=1#RETIRED

Good to know :)

Sig ID 5009/0 IE Security Bypass