07-21-2008 06:26 AM - edited 03-10-2019 04:12 AM
Hello,
in the IPS Event Viewer I see a lot of messages regarding 'Squid Proxy NTLM Authenticate Overflow'. For a lot of them, the destination ip's are as expected: they point to the addresses of our Proxy servers.
However, I also see a lot of packets with destination ip of 0.0.0.0. What does this mean?
07-21-2008 08:15 AM
assuming that this is sig 3737-0.
the summary key is Axxx for that signature, and what you are seeing is most likely summary alerts, showing the "attacker" address.
if you look a bit more at the alert itself, you should see something stating that its a summary and that there were X alerts over the past interval.
08-31-2008 11:50 PM
It seems the signature needs tuning from the Cisco side, we keep seeing it all the time (False Positives). Its detecting this signature for our ISA Server(s) here.
Regards
Farrukh
09-01-2008 05:57 AM
That signature is for CVE-2004-0541 (4 year old vulnerability), applicable for Squid Web Proxy Cache versions Squid-2.5.STABLE5 and below and the initial 3.x version(s). Current versions of squid cache are 2.7stable4 and 3.0stable8.
If you aren't running squid-cache, you should disable this signature.
09-01-2008 06:15 AM
I'll do that, Thanks :)
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide