Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
3
Helpful
7
Replies

Signature 31020 appears to be alerting to a massive amount of false positives

PronetMSSP
Level 1
Level 1

‎11-04-2010 04:42 PM - edited ‎03-10-2019 05:10 AM

Has anyone else ran into an issue with sig 31020 alerting to false positives?

Labels:
0 Helpful
7 Replies 7

m.vuckovic
Level 1
Level 1

‎11-05-2010 01:30 AM

Hi. I see the same situation in my LAN environment especialy between Windows Servers. No information about possible benign triggers. It's a fresh signatue (S527) so I guess a little tuning from Cisco can be expected.

Best regards,

Marko

0 Helpful

PronetMSSP
Level 1
Level 1
In response to m.vuckovic

‎11-05-2010 09:39 AM

Thank you for the reply.  Hopefully they tune it sooner than later.  We're getting way too many alerts.

-Cory

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to PronetMSSP

‎11-08-2010 04:17 AM

It is very important to check if this traffic is matching agains the signature. Take a packet capture of the traffic and share it with us so we can check if the signature is being triggered for no reason.

Cheers

Mike.

Mike
0 Helpful

m.vuckovic
Level 1
Level 1
In response to Maykol Rojas

‎11-08-2010 05:33 AM

Hi,

Maykol.

I'm attaching two captured flows(log pair command on IPS) which triggered alarm 31020.

Best regards,

Marko

74841-Sig31020-2.pcap.zip
0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to m.vuckovic

‎11-08-2010 06:15 AM

Marko,

Thanks for the packet capture, I was taking a look at them and I found out that in Frame 36 on capture sig31020-1 the user given is (/) which may be considered a Null username by the IPS, is there a reason as of why users are being logged as (/) ?

Here is the link that explains about the signature

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=31020&signatureSubId=0

Let me know.

Cheers.

Mike

Mike

m.vuckovic
Level 1
Level 1
In response to Maykol Rojas

‎11-08-2010 11:18 PM

Thank you for your answer.

I really don't know the answer. I'll try to find out the reason for this but I have not much hope to find the answer.

Best regards,

Marko

0 Helpful

bnidacoc
Level 1
Level 1
In response to m.vuckovic

‎11-17-2010 01:54 PM

This fires all the time for us now.  Cisco reports that this sig replaced sig 5577/1.  5577/1 has almost never fired on us.  Now 31020 fires from hundreds of sources each day.

What changed from 5577/1 to 31020/0?

Is Cisco looking into this?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card