Squid Proxy NTLM Authenticate Overflow: dest ip 0.0.0.0

pieter.oudenhoven · ‎07-21-2008

Hello,

in the IPS Event Viewer I see a lot of messages regarding 'Squid Proxy NTLM Authenticate Overflow'. For a lot of them, the destination ip's are as expected: they point to the addresses of our Proxy servers.

However, I also see a lot of packets with destination ip of 0.0.0.0. What does this mean?

wsulym · ‎07-21-2008

assuming that this is sig 3737-0.

the summary key is Axxx for that signature, and what you are seeing is most likely summary alerts, showing the "attacker" address.

if you look a bit more at the alert itself, you should see something stating that its a summary and that there were X alerts over the past interval.

Farrukh Haroon · ‎08-31-2008

It seems the signature needs tuning from the Cisco side, we keep seeing it all the time (False Positives). Its detecting this signature for our ISA Server(s) here.

Regards

Farrukh

wsulym · ‎09-01-2008

That signature is for CVE-2004-0541 (4 year old vulnerability), applicable for Squid Web Proxy Cache versions Squid-2.5.STABLE5 and below and the initial 3.x version(s). Current versions of squid cache are 2.7stable4 and 3.0stable8.

If you aren't running squid-cache, you should disable this signature.

Farrukh Haroon · ‎09-01-2008

I'll do that, Thanks :)

Regards

Farrukh