Squid Proxy NTLM Authenticate Overflow: dest ip

Unanswered Question
Jul 21st, 2008


in the IPS Event Viewer I see a lot of messages regarding 'Squid Proxy NTLM Authenticate Overflow'. For a lot of them, the destination ip's are as expected: they point to the addresses of our Proxy servers.

However, I also see a lot of packets with destination ip of What does this mean?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
wsulym Mon, 07/21/2008 - 08:15

assuming that this is sig 3737-0.

the summary key is Axxx for that signature, and what you are seeing is most likely summary alerts, showing the "attacker" address.

if you look a bit more at the alert itself, you should see something stating that its a summary and that there were X alerts over the past interval.

Farrukh Haroon Sun, 08/31/2008 - 23:50

It seems the signature needs tuning from the Cisco side, we keep seeing it all the time (False Positives). Its detecting this signature for our ISA Server(s) here.



wsulym Mon, 09/01/2008 - 05:57

That signature is for CVE-2004-0541 (4 year old vulnerability), applicable for Squid Web Proxy Cache versions Squid-2.5.STABLE5 and below and the initial 3.x version(s). Current versions of squid cache are 2.7stable4 and 3.0stable8.

If you aren't running squid-cache, you should disable this signature.


This Discussion