Refer to: CSCdv34104
Symptom:
Normal Web Traffic is causing the firing of the 3453 "MS NetMeeting RDS
DoS" signature in version 3.0(1)S6 and 3.0(1)S7 versions of the IDS
sensor appliance.
Condition:
The signature is looking for packets with NULL bytes being sent to port
1720. Port 1720 is a high port whihc may be randomly chosen by web
browsers to connect to port 80 of the Web Server (or other web ports).
If the web server response contains packets with NULL bytes then the
signature will fire causing a false positive.
This can also happen if any other type of client chooses port 1720 to
begin a connection and the service port it connects to sends back NULL
bytes.
WorkAround:
Exclude Web Servers which are causing this signature to False Positive
or disable the signature until it can be fixed by our development teams.
Also the signature was incorrectly placed in as a level 3 signature when
the NSDB is correct in listing it as a level 2 signature.
Lowering the signature will not stop the False Positives but would prevent
it from showing on the management console by default.