Activity on Signature 31359

Unanswered Question
Nov 4th, 2010

Seeing this signature firing quite a bit in the past hour.  Intially started seeing activity from ASIAPAC and Europe, Now seeing activity from the US.

Told our IPS to drop packets but not alert.

Anyone else seeing this signature fire ?

Ron

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
russellmiles64 Thu, 11/04/2010 - 16:27

Yes, we're seeing the same.  Started with Signature version 528.0 for us at the noon auto update today.  It was frequently blocking http responses from our web server to web clients.  We had to disable the signature till we figure out what is going on.  The full name of the signature is: Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability

mikecrowe4ICS_2 Thu, 11/04/2010 - 19:35

Cisco has noted this activity as well:

http://tools.cisco.com/security/center/viewAlert.x?alertId=21736

"Microsoft has indicated that targeted attacks have been observed in the wild.  Current exploits may be prevented on Windows systems that implement Data Execution Prevention (DEP).  Windows Vista and 7, along with Windows Server 2003 and 2008, incorporate DEP, reducing risk on these systems."

The extra special bonus?  No patch is available at the moment ... fun.

"Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not available."

This signature was just added in S528, which rolled out within the last 24 hours.  That might explain why you haven't seen it until now.

tscislaw_2 Fri, 11/05/2010 - 14:40

We're seeing this signature fire on accessing legitimate websites such as ap.org (Associated Press) and others.

Christopher Dreier Sat, 11/06/2010 - 17:51

Hello tscislaw,

If you are seeing the signature fire on suspected benign traffic, do you mind providing a capture of the trigger packets so that we can compare it to what the signature should match?

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

tscislaw_2 Mon, 11/08/2010 - 05:52

Blayne,

There's nothing in the trigger packet tab. Here's a copy of the "show all details" on the event for www.ap.org (Associated Press). Also had one this morning for www.netflix.com. It's also copied below.

=======www.ap.org==============

Event ID    1279312152368438939
Severity    high
Host ID    kscfcu-ips
Application Name    sensorApp
Event Time    11/05/2010 17:06:13
Sensor Local Time    11/05/2010 21:06:13
Signature ID    31359
Signature Sub-ID    0
Signature Name    Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability
Signature Version    S528
Signature Details    Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability
Interface Group    vs0
VLAN ID    0
Interface    ge0_0
Attacker IP    165.1.59.220
Protocol    tcp
Attacker Port    80
Attacker Locality    OUT
Target IP    223.100.200.142
Target Port    4326
Target Locality    OUT
Target OS    unknown unknown (unknown)
Actions    droppedPacket+deniedAttacker+deniedFlow+tcpOneWayResetSent
Risk Rating    TVR=medium
Risk Rating Value    85
Threat Rating    40
Reputation   
Context Data    From attacker:

Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-05 17:06:13.962 ----
Ether:
Ether:   dst =  22:50:37:5f:72:75
Ether:   src =  6e:53:63:72:6f:6c
Ether: proto =  0x6c65
Ether:
Data: 0000  72 28 27 70 37 73 63 72  6f 6c 6c 65 72 31 27 2c  r('p7scroller1',
Data: 0010  27 52 65 73 75 6d 65 27  2c 27 4d 65 64 69 75 6d  'Resume','Medium
Data: 0020  27 2c 30 2c 30 2c 30 2c  30 29 22 20 6f 6e 43 6c  ',0,0,0,0)" onCl
Data: 0030  69 63 6b 3d 22 50 37 5f  74 75 74 70 69 63 28 27  ick="P7_tutpic('
Data: 0040  70 61 67 65 73 2f 63 61  70 74 69 6f 6e 73 2f 62  pages/captions/b
Data: 0050  69 67 70 69 63 36 2e 68  74 6d 27 29 3b 69 66 28  igpic6.htm');if(
Data: 0060  74 68 69 73 2e 62 6c 75  72 29 74 68 69 73 2e 62  this.blur)this.b
Data: 0070  6c 75 72 28 29 3b 72 65  74 75 72 6e 20 66 61 6c  lur();return fal
Data: 0080  73 65 22 3e 3c 69 6d 67  20 73 72 63 3d 22 6d 65  se">Data: 0090  64 69 61 2f 64 65 6d 6f  5f 69 6d 61 67 65 73 2f  dia/demo_images/
Data: 00a0  70 68 6f 74 6f 36 2e 6a  70 67 22 20 61 6c 74 3d  photo6.jpg" alt=
Data: 00b0  22 6e 65 77 73 70 68 6f  74 6f 22 20 77 69 64 74  "newsphoto" widt
Data: 00c0  68 3d 22 32 39 32 22 20  68 65 69 67 68 74 3d 22  h="292" height="
Data: 00d0  32 30 30 22 20 62 6f 72  64 65 72 3d 22 30 22 3e  200" border="0">
Data: 00e0  3c 2f 61 3e 3c 2f 74 64  3e 0d 0a 3c 2f 74 61 62  ..Data: 00f0  6c 65                                            le
Data:
From victim:

Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-05 17:06:13.962 ----
Ether:
Ether:   dst =  2e:36:20:47:54:42
Ether:   src =  37:2e:31:d:a:41
Ether: proto =  0x6363
Ether:
Data: 0000  65 70 74 3a 20 74 65 78  74 2f 68 74 6d 6c 2c 61  ept: text/html,a
Data: 0010  70 70 6c 69 63 61 74 69  6f 6e 2f 78 68 74 6d 6c  pplication/xhtml
Data: 0020  2b 78 6d 6c 2c 61 70 70  6c 69 63 61 74 69 6f 6e  +xml,application
Data: 0030  2f 78 6d 6c 3b 71 3d 30  2e 39 2c 2a 2f 2a 3b 71  /xml;q=0.9,*/*;q
Data: 0040  3d 30 2e 38 0d 0a 41 63  63 65 70 74 2d 4c 61 6e  =0.8..Accept-Lan
Data: 0050  67 75 61 67 65 3a 20 65  6e 2d 75 73 2c 65 6e 3b  guage: en-us,en;
Data: 0060  71 3d 30 2e 35 0d 0a 41  63 63 65 70 74 2d 45 6e  q=0.5..Accept-En
Data: 0070  63 6f 64 69 6e 67 3a 20  67 7a 69 70 2c 64 65 66  coding: gzip,def
Data: 0080  6c 61 74 65 0d 0a 41 63  63 65 70 74 2d 43 68 61  late..Accept-Cha
Data: 0090  72 73 65 74 3a 20 49 53  4f 2d 38 38 35 39 2d 31  rset: ISO-8859-1
Data: 00a0  2c 75 74 66 2d 38 3b 71  3d 30 2e 37 2c 2a 3b 71  ,utf-8;q=0.7,*;q
Data: 00b0  3d 30 2e 37 0d 0a 4b 65  65 70 2d 41 6c 69 76 65  =0.7..Keep-Alive
Data: 00c0  3a 20 31 31 35 0d 0a 43  6f 6e 6e 65 63 74 69 6f  : 115..Connectio
Data: 00d0  6e 3a 20 6b 65 65 70 2d  61 6c 69 76 65 0d 0a 58  n: keep-alive..X
Data: 00e0  2d 4d 6f 7a 3a 20 70 72  65 66 65 74 63 68 0d 0a  -Moz: prefetch..
Data: 00f0  0d 0a                                            ..
Data:
Packet Data   
Event Summary    0
Initial Alert   
Summary Type   
Final Alert   
Event Status    New
Event Notes  

=========================================================

==========www.netflix.com===================================

Event ID    1279312152368517485
Severity    high
Host ID    kscfcu-ips
Application Name    sensorApp
Event Time    11/08/2010 08:28:18
Sensor Local Time    11/08/2010 13:28:18
Signature ID    31359
Signature Sub-ID    0
Signature Name    Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability
Signature Version    S528
Signature Details    Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability
Interface Group    vs0
VLAN ID    0
Interface    ge0_0
Attacker IP    208.75.79.17
Protocol    tcp
Attacker Port    80
Attacker Locality    OUT
Target IP    223.100.200.101
Target Port    2113
Target Locality    OUT
Target OS    learned windows-nt-2k-xp (relevant)
Actions    droppedPacket+deniedAttacker+deniedFlow+tcpOneWayResetSent
Risk Rating    TVR=medium ARR=relevant
Risk Rating Value    95
Threat Rating    50
Reputation   
Context Data    From attacker:

Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-08 08:28:18.515 ----
Ether:
Ether:   dst =  65:6c:65:6d:2e:72
Ether:   src =  65:70:6c:61:63:65
Ether: proto =  0x282f
Ether:
Data: 0000  5e 5c 73 2b 2f 2c 22 22  29 2e 73 75 62 73 74 72  ^\s+/,"").substr
Data: 0010  69 6e 67 28 30 2c 31 30  29 2e 74 6f 4c 6f 77 65  ing(0,10).toLowe
Data: 0020  72 43 61 73 65 28 29 3b  76 61 72 20 77 72 61 70  rCase();var wrap
Data: 0030  3d 21 74 61 67 73 2e 69  6e 64 65 78 4f 66 28 22  =!tags.indexOf("
Data: 0040  3c 6f 70 74 22 29 26 26  5b 31 2c 22 3c 73 65 6c  Data: 0050  65 63 74 20 6d 75 6c 74  69 70 6c 65 3d 27 6d 75  ect multiple='mu
Data: 0060  6c 74 69 70 6c 65 27 3e  22 2c 22 3c 2f 73 65 6c  ltiple'>","Data: 0070  65 63 74 3e 22 5d 7c 7c  21 74 61 67 73 2e 69 6e  ect>"]||!tags.in
Data: 0080  64 65 78 4f 66 28 22 3c  6c 65 67 22 29 26 26 5b  dexOf("Data: 0090  31 2c 22 3c 66 69 65 6c  64 73 65 74 3e 22 2c 22  1,"","
Data: 00a0  3c 2f 66 69 65 6c 64 73  65 74 3e 22 5d 7c 7c 74  "]||t
Data: 00b0  61 67 73 2e 6d 61 74 63  68 28 2f 5e 3c 28 74 68  ags.match(/^<(th
Data: 00c0  65 61 64 7c 74 62 6f 64  79 7c 74 66 6f 6f 74 7c  ead|tbody|tfoot|
Data: 00d0  63 6f 6c 67 7c 63 61 70  29 2f 29 26 26 5b 31 2c  colg|cap)/)&&[1,
Data: 00e0  22 3c 74 61 62 6c 65 3e  22 2c 22 3c 2f 74 61 62  "

","Data: 00f0  6c 65                                            le
Data:
From victim:

Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-08 08:28:18.515 ----
Ether:
Ether:   dst =  69:64:3d:52:4c:4e
Ether:   src =  36:38:50:32:4a:38
Ether: proto =  0x4c4c
Ether:
Data: 0000  38 52 38 41 4a 36 4a 34  32 41 38 4e 32 48 38 4c  8R8AJ6J42A8N2H8L
Data: 0010  52 38 4a 32 48 34 41 3b  20 70 5f 66 69 72 73 74  R8J2H4A; p_first
Data: 0020  5f 72 65 66 3d 68 74 74  70 25 33 41 2f 2f 77 77  _ref=http%3A//ww
Data: 0030  77 2e 62 69 6e 67 2e 63  6f 6d 2f 73 65 61 72 63  w.bing.com/searc
Data: 0040  68 25 33 46 71 25 33 44  4e 45 54 46 4c 49 58 25  h%3Fq%3DNETFLIX%
Data: 0050  32 36 66 6f 72 6d 25 33  44 4d 53 4e 48 31 34 25  26form%3DMSNH14%
Data: 0060  32 36 71 73 25 33 44 6e  3b 20 70 5f 66 69 72 73  26qs%3Dn; p_firs
Data: 0070  74 5f 65 6e 74 72 79 3d  68 74 74 70 73 25 33 41  t_entry=https%3A
Data: 0080  2f 2f 77 77 77 2e 6e 65  74 66 6c 69 78 2e 63 6f  //www.netflix.co
Data: 0090  6d 2f 4c 6f 67 69 6e 3b  20 70 5f 6c 61 73 74 5f  m/Login; p_last_
Data: 00a0  72 65 66 3d 68 74 74 70  25 33 41 2f 2f 75 73 2e  ref=http%3A//us.
Data: 00b0  6d 67 33 2e 6d 61 69 6c  2e 79 61 68 6f 6f 2e 63  mg3.mail.yahoo.c
Data: 00c0  6f 6d 2f 64 63 2f 6c 61  75 6e 63 68 25 33 46 2e  om/dc/launch%3F.
Data: 00d0  67 78 25 33 44 31 25 32  36 2e 72 61 6e 64 25 33  gx%3D1%26.rand%3
Data: 00e0  44 34 75 30 68 75 70 6d  66 66 64 33 69 62 0d 0a  D4u0hupmffd3ib..
Data: 00f0  0d 0a                                            ..
Data:
Packet Data   
Event Summary    0
Initial Alert   
Summary Type   
Final Alert   
Event Status    New
Event Notes

====================================================================

sbrooke Tue, 11/09/2010 - 05:50

We're continuing to get hits on all variety of sites, including internal ones.  We've scrubbed our stuff

and haven't found anything.  Can anyone confirm that the signature is perhaps being overzealous? I'd rather not mark it as safe and miss something that has a legitimate threat in the wild.

mayrojas Tue, 11/09/2010 - 06:36

Hello,

We need to check on the captures what is triggering the signature, as of yet we need to see them with wireshark to analyze the payload. If possible can anyone providea packet capture of this nature, and also, would you please set some websites exmaples that are triggering the signature?

Thanks.

Mike

sbrooke Tue, 11/09/2010 - 06:39

yimg.com is one site but we also have some internal Solarwinds sites that are getting spiked by this. I'll see if I can release a packet capture to you.

sbrooke Tue, 11/09/2010 - 07:01

Is there somewhere private I can post the capture to?

I have a packet out of IME for both a Solarwinds session and what I think is a web based email session with American University's website.

sbrooke Tue, 11/09/2010 - 07:10

Ok, here's one from Yahoo.  I'm not too worried about putting this one out there.  I captured this from IME in both the trigger packet and context data tabs:

Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-09 10:06:04.683 ----
Ether:
Ether:   dst =  0:1a:6d:ea:4c:72
Ether:   src =  0:4:96:27:be:7d
Ether: proto =  0x8100 "(VLAN) IEEE 802.1q"
Ether:
VLAN: ---- IEEE802dot1q IEEE=802.1q OSI=2 ----
VLAN:
VLAN: flags = 0000000000001011 11
VLAN:         000............. 0x0 = [priority]
VLAN:         ...0............ 0x0 = [cfi]
VLAN:         ....000000001011 11 = [id]
VLAN:  type =  0x800 "(IP) Internet protocol (v4 or v6)"
VLAN:
IPv4: ---- IPv4 RFC=791 OSI=3 ----
IPv4:
IPv4:      ver =  4 "Internet Protocol version 4"
IPv4:     hlen =  5 (20 bytes) "No IP options present"
IPv4:      tos = 00000000 0x0
IPv4:            000..... 0x0 = [precedence] "Routine"
IPv4:            ...0.... 0x0 = [delay] "Normal delay"
IPv4:            ....0... 0x0 = [throughput] "Normal throughput"
IPv4:            .....0.. 0x0 = [reliability] "Normal reliability"
IPv4:            ......00 0x0 = [reserved]
IPv4:      len =  1420 (1400 bytes of data)
IPv4:       id =  0xb9c6
IPv4:    flags = 010 0x2 (bit fields)
IPv4:            0.. 0x0 = [reserved]
IPv4:            .1. 0x1 = [df] "Do not fragment"
IPv4:            ..0 0x0 = [mf] "no more fragments"
IPv4:   offset =  0 (0 bytes)
IPv4:      ttl =  52 (hops)
IPv4: protocol =  6 "(TCP) Transmition Control Protocol (RFC793)"
IPv4: checksum =  0x101b
IPv4:    saddr =  98.137.80.33
IPv4:    daddr =  192.168.4.56
IPv4:
TCP: ---- TCP RFC=793 OSI=4 ----
TCP:
TCP: sport =  80
TCP: dport =  1041
TCP:   seq =  366993190
TCP:   ack =  1979566247
TCP:  hlen =  5 (20 bytes) "No TCP options present"
TCP:   res =  0
TCP:  code = 010000 0x10
TCP:         0..... 0x0 = [urg]
TCP:         .1.... 0x1 = [ack] "Acknowledgement Field Significant"
TCP:         ..0... 0x0 = [psh]
TCP:         ...0.. 0x0 = [rst]
TCP:         ....0. 0x0 = [syn]
TCP:         .....0 0x0 = [fin]
TCP:   win =  8767 (bytes)
TCP:   crc =  0xe0c5 (CRC-16)
TCP:   urg =  0 (byte offset)
TCP:
Data: 0000  20 53 54 59 4c 45 3d 22  76 69 73 69 62 69 6c 69   STYLE="visibili
Data: 0010  74 79 3a 68 69 64 64 65  6e 3b 22 3e 27 3b 63 2b  ty:hidden;">';c+
Data: 0020  3d 6a 3b 63 2b 3d 22 3c  49 4d 47 20 6f 6e 4c 6f  =j;c+="Data: 0030  61 64 3d 5c 22 72 65 74  75 72 6e 20 59 41 48 4f  ad=\"return YAHO
Data: 0040  4f 2e 53 68 6f 72 74 63  75 74 73 2e 55 74 69 6c  O.Shortcuts.Util
Data: 0050  73 2e 72 65 73 69 7a 65  49 6d 61 67 65 54 6f 4d  s.resizeImageToM
Data: 0060  61 78 53 69 7a 65 28 74  68 69 73 2c 37 30 2c 37  axSize(this,70,7
Data: 0070  30 2c 27 69 6d 67 64 69  76 5f 22 2b 28 64 2b 70  0,'imgdiv_"+(d+p
Data: 0080  29 2b 27 5c 27 29 3b 22  20 53 52 43 3d 22 27 2b  )+'\');" SRC="'+
Data: 0090  66 2b 27 22 20 42 4f 52  44 45 52 3d 30 20 41 4c  f+'" BORDER=0 AL
Data: 00a0  54 3d 22 27 2b 75 2b 27  22 3e 27 3b 63 2b 3d 22  T="'+u+'">';c+="
Data: 00b0  3c 2f 41 3e 22 3b 63 2b  3d 22 3c 2f 44 49 56 3e  ";c+="
Data: 00c0  22 3b 63 2b 3d 22 3c 2f  54 44 3e 22 3b 63 2b 3d  ";c+="";c+=
Data: 00d0  22 3c 2f 54 52 3e 22 3b  76 61 72 20 73 3d 22 22  "";var s=""
Data: 00e0  3b 73 2b 3d 22 3c 54 52  3e 22 3b 73 2b 3d 22 3c  ;s+="

";s+="<
Data: 00f0  54 44 20 56 41 4c 49 47  4e 3d 6d 69 64 64 6c 65  TD VALIGN=middle
Data: 0100  20 41 4c 49 47 4e 3d 63  65 6e 74 65 72 3e 22 3b   ALIGN=center>";
Data: 0110  73 2b 3d 6a 3b 73 2b 3d  62 3b 73 2b 3d 22 3c 2f  s+=j;s+=b;s+="Data: 0120  41 3e 22 3b 73 2b 3d 22  3c 2f 54 44 3e 22 3b 73  A>";s+="";s
Data: 0130  2b 3d 22 3c 2f 54 52 3e  22 3b 6b 2b 3d 27 3c 54  +="";k+='Data: 0140  44 20 41 4c 49 47 4e 3d  63 65 6e 74 65 72 20 56  D ALIGN=center V
Data: 0150  41 4c 49 47 4e 3d 74 6f  70 20 41 4c 49 47 4e 3d  ALIGN=top ALIGN=
Data: 0160  63 65 6e 74 65 72 20 53  54 59 4c 45 3d 22 77 69  center STYLE="wi
Data: 0170  64 74 68 3a 27 2b 67 2b  27 22 3e 27 3b 6b 2b 3d  dth:'+g+'">';k+=
Data: 0180  27 3c 54 41 42 4c 45 20  43 45 4c 4c 50 41 44 44  '
Data: 0190  49 4e 47 3d 30 20 43 45  4c 4c 53 50 41 43 49 4e  ING=0 CELLSPACIN
Data: 01a0  47 3d 30 20 48 45 49 47  48 54 3d 22 31 30 30 25  G=0 HEIGHT="100%
Data: 01b0  22 3e 27 3b 6b 2b 3d 63  3b 6b 2b 3d 73 3b 6b 2b  ">';k+=c;k+=s;k+
Data: 01c0  3d 22 3c 2f 54 41 42 4c  45 3e 22 3b 6b 2b 3d 22  ="";k+="
Data: 01d0  3c 2f 54 44 3e 22 7d 6b  2b 3d 22 3c 2f 54 52 3e  "}k+="
Data: 01e0  3c 2f 54 41 42 4c 45 3e  22 3b 6b 2b 3d 22 3c 2f  ";k+="Data: 01f0  44 49 56 3e 22 3b 69 66  28 65 29 7b 6b 2b 3d 27  DIV>";if(e){k+='
Data: 0200  3c 44 49 56 20 49 44 3d  22 72 69 67 68 74 41 72 
Data: 0210  72 6f 77 44 69 76 22 20  53 54 59 4c 45 3d 22 77  rowDiv" STYLE="w
Data: 0220  69 64 74 68 3a 27 2b 72  2b 22 70 78 3b 20 68 65  idth:'+r+"px; he
Data: 0230  69 67 68 74 3a 22 2b 6e  2b 22 70 78 3b 20 6c 65  ight:"+n+"px; le
Data: 0240  66 74 3a 33 31 34 70 78  3b 20 74 6f 70 3a 30 70  ft:314px; top:0p
Data: 0250  78 3b 20 70 6f 73 69 74  69 6f 6e 3a 61 62 73 6f  x; position:abso
Data: 0260  6c 75 74 65 3b 20 74 65  78 74 2d 61 6c 69 67 6e  lute; text-align
Data: 0270  3a 63 65 6e 74 65 72 3b  20 6d 69 64 64 6c 65 3b  :center; middle;
Data: 0280  20 7a 2d 69 6e 64 65 78  3a 20 31 31 3b 20 62 61   z-index: 11; ba
Data: 0290  63 6b 67 72 6f 75 6e 64  2d 69 6d 61 67 65 3a 75  ckground-image:u
Data: 02a0  72 6c 28 27 68 74 74 70  3a 2f 2f 6c 2e 79 69 6d  rl('http://l.yim
Data: 02b0  67 2e 63 6f 6d 2f 75 73  2e 79 69 6d 67 2e 63 6f  g.com/us.yimg.co
Data: 02c0  6d 2f 69 2f 75 73 2f 73  68 63 2f 67 72 2f 61 72  m/i/us/shc/gr/ar
Data: 02d0  72 6f 77 5f 72 69 67 68  74 5f 61 63 74 69 76 65  row_right_active
Data: 02e0  5f 33 2e 70 6e 67 27 29  3b 20 62 61 63 6b 67 72  _3.png'); backgr
Data: 02f0  6f 75 6e 64 2d 72 65 70  65 61 74 3a 6e 6f 2d 72  ound-repeat:no-r
Data: 0300  65 70 65 61 74 3b 62 61  63 6b 67 72 6f 75 6e 64  epeat;background
Data: 0310  2d 70 6f 73 69 74 69 6f  6e 3a 63 65 6e 74 65 72  -position:center
Data: 0320  3b 5c 22 20 6f 6e 43 6c  69 63 6b 3d 5c 22 59 41  ;\" onClick=\"YA
Data: 0330  48 4f 4f 2e 53 68 6f 72  74 63 75 74 73 2e 4f 76  HOO.Shortcuts.Ov
Data: 0340  65 72 6c 61 79 2e 70 72  6f 74 6f 74 79 70 65 2e  erlay.prototype.
Data: 0350  73 74 61 72 74 4d 6f 76  65 4f 6e 65 53 6c 69 64  startMoveOneSlid
Data: 0360  65 28 2d 22 2b 32 38 34  2b 27 29 3b 22 3e 3c 2f  e(-"+284+');">Data: 0370  44 49 56 3e 27 3b 6b 2b  3d 27 3c 44 49 56 20 49  DIV>';k+='
Data: 0380  44 3d 22 72 69 67 68 74  41 72 72 6f 77 44 69 76  D="rightArrowDiv
Data: 0390  49 6e 61 63 74 69 76 65  22 20 53 54 59 4c 45 3d  Inactive" STYLE=
Data: 03a0  22 77 69 64 74 68 3a 27  2b 72 2b 22 70 78 3b 20  "width:'+r+"px;
Data: 03b0  68 65 69 67 68 74 3a 22  2b 6e 2b 22 70 78 3b 20  height:"+n+"px;
Data: 03c0  6c 65 66 74 3a 33 31 34  70 78 3b 20 74 6f 70 3a  left:314px; top:
Data: 03d0  30 70 78 3b 20 70 6f 73  69 74 69 6f 6e 3a 61 62  0px; position:ab
Data: 03e0  73 6f 6c 75 74 65 3b 20  74 65 78 74 2d 61 6c 69  solute; text-ali
Data: 03f0  67 6e 3a 63 65 6e 74 65  72 3b 20 6d 69 64 64 6c  gn:center; middl
Data: 0400  65 3b 20 7a 2d 69 6e 64  65 78 3a 20 31 31 3b 20  e; z-index: 11;
Data: 0410  62 61 63 6b 67 72 6f 75  6e 64 2d 69 6d 61 67 65  background-image
Data: 0420  3a 75 72 6c 28 27 68 74  74 70 3a 2f 2f 6c 2e 79  :url('http://l.y
Data: 0430  69 6d 67 2e 63 6f 6d 2f  75 73 2e 79 69 6d 67 2e  img.com/us.yimg.
Data: 0440  63 6f 6d 2f 69 2f 75 73  2f 73 68 63 2f 67 72 2f  com/i/us/shc/gr/
Data: 0450  61 72 72 6f 77 5f 72 69  67 68 74 5f 64 69 73 61  arrow_right_disa
Data: 0460  62 6c 65 64 5f 33 2e 70  6e 67 27 29 3b 20 62 61  bled_3.png'); ba
Data: 0470  63 6b 67 72 6f 75 6e 64  2d 72 65 70 65 61 74 3a  ckground-repeat:
Data: 0480  6e 6f 2d 72 65 70 65 61  74 3b 62 61 63 6b 67 72  no-repeat;backgr
Data: 0490  6f 75 6e 64 2d 70 6f 73  69 74 69 6f 6e 3a 63 65  ound-position:ce
Data: 04a0  6e 74 65 72 3b 20 76 69  73 69 62 69 6c 69 74 79  nter; visibility
Data: 04b0  3a 20 68 69 64 64 65 6e  3b 5c 22 3e 3c 2f 44 49  : hidden;\">Data: 04c0  56 3e 22 7d 6b 2b 3d 22  3c 2f 44 49 56 3e 22 3b  V>"}k+="";
Data: 04d0  6b 2b 3d 22 3c 2f 44 49  56 3e 22 3b 69 66 28 64  k+="";if(d
Data: 04e0  6f 63 75 6d 65 6e 74 2e  67 65 74 45 6c 65 6d 65  ocument.getEleme
Data: 04f0  6e 74 42 79 49 64 28 22  6f 76 65 72 6c 61 79 52  ntById("overlayR
Data: 0500  65 6c 61 74 65 64 22 29  21 3d 6e 75 6c 6c 29 7b  elated")!=null){
Data: 0510  64 6f 63 75 6d 65 6e 74  2e 67 65 74 45 6c 65 6d  document.getElem
Data: 0520  65 6e 74 42 79 49 64 28  22 6f 76 65 72 6c 61 79  entById("overlay
Data: 0530  52 65 6c 61 74 65 64 22  29 2e 69 6e 6e 65 72 48  Related").innerH
Data: 0540  54 4d 4c 3d 6b 7d 7d 3b  59 41 48 4f 4f 2e 53 68  TML=k}};YAHOO.Sh
Data: 0550  6f 72 74 63 75 74 73 2e  4f 76 65 72 6c 61 79 2e  ortcuts.Overlay.
Data: 0560  70 72 6f 74                            prot
Data:


From attacker:

Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-09 10:06:04.683 ----
Ether:
Ether:   dst =  44:3e:22:3b:63:2b
Ether:   src =  3d:22:3c:2f:54:52
Ether: proto =  0x3e22
Ether:
Data: 0000  3b 76 61 72 20 73 3d 22  22 3b 73 2b 3d 22 3c 54  ;var s="";s+="Data: 0010  52 3e 22 3b 73 2b 3d 22  3c 54 44 20 56 41 4c 49  R>";s+="

Data: 0020  47 4e 3d 6d 69 64 64 6c  65 20 41 4c 49 47 4e 3d  GN=middle ALIGN=
Data: 0030  63 65 6e 74 65 72 3e 22  3b 73 2b 3d 6a 3b 73 2b  center>";s+=j;s+
Data: 0040  3d 62 3b 73 2b 3d 22 3c  2f 41 3e 22 3b 73 2b 3d  =b;s+="";s+=
Data: 0050  22 3c 2f 54 44 3e 22 3b  73 2b 3d 22 3c 2f 54 52  "";s+="Data: 0060  3e 22 3b 6b 2b 3d 27 3c  54 44 20 41 4c 49 47 4e  >";k+='Data: 0070  3d 63 65 6e 74 65 72 20  56 41 4c 49 47 4e 3d 74  =center VALIGN=t
Data: 0080  6f 70 20 41 4c 49 47 4e  3d 63 65 6e 74 65 72 20  op ALIGN=center
Data: 0090  53 54 59 4c 45 3d 22 77  69 64 74 68 3a 27 2b 67  STYLE="width:'+g
Data: 00a0  2b 27 22 3e 27 3b 6b 2b  3d 27 3c 54 41 42 4c 45  +'">';k+='
Data: 00b0  20 43 45 4c 4c 50 41 44  44 49 4e 47 3d 30 20 43   CELLPADDING=0 C
Data: 00c0  45 4c 4c 53 50 41 43 49  4e 47 3d 30 20 48 45 49  ELLSPACING=0 HEI
Data: 00d0  47 48 54 3d 22 31 30 30  25 22 3e 27 3b 6b 2b 3d  GHT="100%">';k+=
Data: 00e0  63 3b 6b 2b 3d 73 3b 6b  2b 3d 22 3c 2f 54 41 42  c;k+=s;k+="Data: 00f0  4c 45                                            LE
Data:
From victim:

Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-09 10:06:04.683 ----
Ether:
Ether:   dst =  6f:6d:70:61:74:69
Ether:   src =  62:6c:65:3b:20:4d
Ether: proto =  0x5349
Ether:
Data: 0000  45 20 38 2e 30 3b 20 57  69 6e 64 6f 77 73 20 4e  E 8.0; Windows N
Data: 0010  54 20 35 2e 31 3b 20 54  72 69 64 65 6e 74 2f 34  T 5.1; Trident/4
Data: 0020  2e 30 3b 20 47 54 42 36  2e 36 3b 20 28 52 31 20  .0; GTB6.6; (R1
Data: 0030  31 2e 35 29 3b 20 2e 4e  45 54 20 43 4c 52 20 31  1.5); .NET CLR 1
Data: 0040  2e 31 2e 34 33 32 32 3b  20 2e 4e 45 54 20 43 4c  .1.4322; .NET CL
Data: 0050  52 20 32 2e 30 2e 35 30  37 32 37 3b 20 49 6e 66  R 2.0.50727; Inf
Data: 0060  6f 50 61 74 68 2e 31 3b  20 2e 4e 45 54 20 43 4c  oPath.1; .NET CL
Data: 0070  52 20 33 2e 30 2e 30 34  35 30 36 2e 33 30 3b 20  R 3.0.04506.30;
Data: 0080  2e 4e 45 54 20 43 4c 52  20 33 2e 30 2e 34 35 30  .NET CLR 3.0.450
Data: 0090  36 2e 32 31 35 32 3b 20  2e 4e 45 54 20 43 4c 52  6.2152; .NET CLR
Data: 00a0  20 33 2e 35 2e 33 30 37  32 39 3b 20 49 6e 66 6f   3.5.30729; Info
Data: 00b0  50 61 74 68 2e 32 3b 20  4d 53 2d 52 54 43 20 4c  Path.2; MS-RTC L
Data: 00c0  4d 20 38 29 0d 0a 48 6f  73 74 3a 20 6c 2e 79 69  M 8)..Host: l.yi
Data: 00d0  6d 67 2e 63 6f 6d 0d 0a  43 6f 6e 6e 65 63 74 69  mg.com..Connecti
Data: 00e0  6f 6e 3a 20 4b 65 65 70  2d 41 6c 69 76 65 0d 0a  on: Keep-Alive..
Data: 00f0  0d 0a                                            ..
Data:

mayrojas Tue, 11/09/2010 - 07:11

Would it be possible for you to download that capture in pcap format?

Cheers.

Mike

Stijn Vanveerdeghem Tue, 11/09/2010 - 07:25

We are aware of potential issues with signature 31359/0 that can cause it to fire on legitimate traffic.

A bug has been filed and our signature develpment team is working on a solution.

For more info, see http://tools.cisco.com/squish/41f5E

For now, as a workaround, you may want to disable the signature or create an Event Action Filter to remove any actions applied for particular source/destination pairs.

I will update you as soon as new informatoin if available.

Let me know if you have any furhter questions, alternatively you can open a case with TAC.

Stijn

Stijn Vanveerdeghem Tue, 11/09/2010 - 15:20

Ron, and anyone else who reported the issue,

In order for us to  further determine what exactly is causing this signature to fire for  your traffic, can you please provide me packet capture (pcap file) of the traffic on which the signature is firing on ?

Please email me the pcaps: svanveer@cisco.com

Thanks in advance !

Stijn

bnidacoc Fri, 11/12/2010 - 10:38

I understand from the latest Cisco IPS Threat Defense Bulletin for Release S530 that 31359.0 is now classified as a retired signature.

Would another signature be coming out in response to this vulnerability, or might sloppy internet website coding be too common that blocking this pattern by default be to invasive, or something else?

Thanks.

tscislaw_2 Mon, 01/24/2011 - 11:32

We're seeing this same thing happen on the new 31359/1 signature.

Actions

Login or Register to take actions

This Discussion

Posted November 4, 2010 at 2:32 PM
Stats:
Replies:18 Avg. Rating:
Views:1701 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
5
5
5
5
5