IPS Tuning - Example Windows SMTP Overflow 5561

Answered Question
Sep 10th, 2008

I have recently deployed a couple of IPS sensors. The sensor alarmed on sig 5561/0 (Windows SMTP Overflow).

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5561&signatureSubId=0&softwareVersion=6.0&releaseVersion=S339

From the link, the signature was updated in June 2008. The CVE is dated 2004 and Microsoft issued patches in 2004. Why is Cisco updating signatures for 4 year old vulnerabilities?

Is this latest release/update for a new vulnerability?

I have this problem too.
0 votes
Correct Answer by wsulym about 8 years 2 months ago

It was not a new vulnerability. The updated signature released in S339 coincides with the E2 engine release. 5561-0 is a meta-engine signature and the "update" that was done at the S339 release was to explicitly set a "all components required" flag to true.

Any change that changes the signature xml results in a revision/update.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
wsulym Wed, 09/10/2008 - 04:52

It was not a new vulnerability. The updated signature released in S339 coincides with the E2 engine release. 5561-0 is a meta-engine signature and the "update" that was done at the S339 release was to explicitly set a "all components required" flag to true.

Any change that changes the signature xml results in a revision/update.

Hope that helps.

Actions

This Discussion