Hello all! Sig 33439 was modified in S592 and I'm seeing a lot more alerts from this signature since we pushed S592. Does anyone know what changed and what the trigger is that causes the signature to fire? I have capture files and have not been able to identify anything malicious, nor what is causing it to fire. If anyone can help me understand what the trigger is, I'm hoping I'll be able to identify what in the packets are causing the possible false-positives. Thank you.
I've noticed this as well. As long as all machines running IE have the necessary patches, it shouldn't be a real problem but would be nice to know what's causing all the noise since S592 came out.
We have the same issue here with several customers during the last two weeks.
We waited for signatures updates if it was fixed but no luck.
We disabled the signature in some customers.
I'll open a service request with TAC and to see if I can get any clarification or more information. I'll let y'all know what I find out.
I opened an SR Friday morning, I received confirmation, but have not heard anything back since. Cisco isn't being very responsive with this query at all.
We've had the same uptick in alerts on this signature, and now it's affecting a website that one of our users needs to access. Our systems are patched so I will likely just disable it for now, but I'll definitely watch this thread to see if Cisco updates with any information about a potential re-release of this sig.