DHL-USA.com <P>Microsoft Internet Explorer Method Parameter Validation Vuln

ronj · ‎12-18-2008

I just started receiving this message today whenever a user accesses the DHL website.

199.41.238.32/0 --> 10.30.99.18/0 TCP <P>Microsoft Internet Explorer Method Parameter Validation Vulnerability</P>,NR-7427/0,Time:1229629119,Risk Rating:100,VLAN:0,Action:sd:droppedPacket cid:deniedFlow cid:tcpOneWayResetSent

Is this implying that the DHL-USA website has been compromised by the recent IE vulnerablility?

owillins · ‎12-26-2008

Traffic from web server was hitting event action over ride and adding a block. Make effect action filter that was tuned to remove the block and everything will work.

j826430 · ‎01-07-2009

Also been seeing these recently here. The trigger packets on the IPS all appear to be Javascript related. However, since we can't view the regex in the sig, it's difficult to determine what exaactly the sig is firing on.

Masked regex's in the sigs are really a huge pain, it makes determining false positives much more difficult.

ruppala · ‎03-17-2009

Could you confirm the Signature ID so that we can look into this further ?

bnidacoc · ‎07-02-2009

I too can confirm 7427/0 on DHL sites.

A Cisco Security Center search on the signature still finds that, "There are no known benign triggers."

Can Cisco look into this?