Re: Signature 31020 appears to be alerting to a massive amount o

PronetMSSP · ‎11-04-2010

Has anyone else ran into an issue with sig 31020 alerting to false positives?

m.vuckovic · ‎11-05-2010

Hi. I see the same situation in my LAN environment especialy between Windows Servers. No information about possible benign triggers. It's a fresh signatue (S527) so I guess a little tuning from Cisco can be expected.

Best regards,

Marko

PronetMSSP · ‎11-05-2010

Thank you for the reply. Hopefully they tune it sooner than later. We're getting way too many alerts.

-Cory

Maykol Rojas · ‎11-08-2010

It is very important to check if this traffic is matching agains the signature. Take a packet capture of the traffic and share it with us so we can check if the signature is being triggered for no reason.

Cheers

Mike.

Mike

m.vuckovic · ‎11-08-2010

Hi,

Maykol.

I'm attaching two captured flows(log pair command on IPS) which triggered alarm 31020.

Best regards,

Marko

Maykol Rojas · ‎11-08-2010

Marko,

Thanks for the packet capture, I was taking a look at them and I found out that in Frame 36 on capture sig31020-1 the user given is (/) which may be considered a Null username by the IPS, is there a reason as of why users are being logged as (/) ?

Here is the link that explains about the signature

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=31020&signatureSubId=0

Let me know.

Cheers.

Mike

m.vuckovic · ‎11-08-2010

Thank you for your answer.

I really don't know the answer. I'll try to find out the reason for this but I have not much hope to find the answer.

Best regards,

Marko

bnidacoc · ‎11-17-2010

This fires all the time for us now. Cisco reports that this sig replaced sig 5577/1. 5577/1 has almost never fired on us. Now 31020 fires from hundreds of sources each day.

What changed from 5577/1 to 31020/0?

Is Cisco looking into this?

Signature 31020 appears to be alerting to a massive amount of false positives