DHL-USA.com <P>Microsoft Internet Explorer Method Parameter Validation Vuln

Unanswered Question
Dec 18th, 2008

I just started receiving this message today whenever a user accesses the DHL website.

199.41.238.32/0 --> 10.30.99.18/0 TCP <P>Microsoft Internet Explorer Method Parameter Validation Vulnerability</P>,NR-7427/0,Time:1229629119,Risk Rating:100,VLAN:0,Action:sd:droppedPacket cid:deniedFlow cid:tcpOneWayResetSent

Is this implying that the DHL-USA website has been compromised by the recent IE vulnerablility?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
owillins Fri, 12/26/2008 - 06:33

Traffic from web server was hitting event action over ride and adding a block. Make effect action filter that was tuned to remove the block and everything will work.

j826430 Wed, 01/07/2009 - 14:44

Also been seeing these recently here. The trigger packets on the IPS all appear to be Javascript related. However, since we can't view the regex in the sig, it's difficult to determine what exaactly the sig is firing on.

Masked regex's in the sigs are really a huge pain, it makes determining false positives much more difficult.

ruppala Tue, 03/17/2009 - 17:19

Could you confirm the Signature ID so that we can look into this further ?

bnidacoc Thu, 07/02/2009 - 06:15

I too can confirm 7427/0 on DHL sites.

A Cisco Security Center search on the signature still finds that, "There are no known benign triggers."

Can Cisco look into this?

Actions

This Discussion