06-04-2008 05:57 PM - edited 03-10-2019 04:08 AM
On MARS alerts (from IPS 4260) are received on one of the IE vulnerabilities.
Event- Microsoft Internet Explorer Dynamic HTML Element Processing Memory Corruption Vulnerability
Source ip/port-a.b.c.d/0
Destination ip/port-w.x.y.z/0
Protocol-TCP
[w.x.y.z is my proxy]
[a.b.c.d should be a web server, running port 80]
Qn> what is tcp port 0?why does MARS display as port 0?
06-05-2008 02:23 AM
If you click on the name of the 'Reporting Device, for example 'ABCD-IDS-1', MARS will show you the 'Raw Event' (as received from the sensor). This will help you show if the IPS is sending the zero port or its the MARS.
Some signatures don't report the port number properly, I don't this this is a bug or by design :) (Since the signature already says 'HTML' )
Btw, I see this false positive on one of our customer's all the time....
Regards
Farrukh
06-05-2008 04:06 AM
Just a guess here; but it could it be that the event is summarized.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: