cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2165
Views
0
Helpful
9
Replies

Activity on Signature 31359/1

PronetMSSP
Level 1
Level 1

Is anyone else seeing a lot of alerts firing from legit sites for sig 31359/1?  I'm receiving them from Yahoo and Akamai as well as a few other sites.

Cory

9 Replies 9

tscislaw_2
Level 1
Level 1

Yeah, we're seeing it fire on legit sites also. Began Friday when our IPS loaded the latest sig file.

tscislaw_2
Level 1
Level 1

This same signature was a problem back in November. We ended up disabling it. Looks like the new version has the same problem.

https://supportforums.cisco.com/message/3219364#3219364

Hello Pronet MSSP and tscislaw,

Would you be able to provide a packet capture of the legitimate traffic on which 31359/1 is firing? I will ask our signature team to review the data in the capture and test it against the new sub-signature.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

Blayne,

Attached is a packet capture from that signature event.

Tony M. Scislaw CISSP

Network Administrator

Kennedy Space Center Federal Credit Union

Merritt Island, Florida

tscislaw@kscfcu.org

www.kscfcu.org

321-456-5422

The information transmitted is intended only for the person or entity to

which it is addressed and may contain confidential and/or privileged

material. Any review, retransmission, dissemination or other use of, or

taking of any action in reliance upon, this information by persons or

entities other than the intended recipient is prohibited. If you received

this in error, please contact the sender and delete the material from any

computer.

Hi All,

This may be a recursive problem of signature 31359/0. TAC is still investigating the problem. We are analyzing the info of singular cases, captures and others.

Cheers.

Mike

Mike

I have been out of the office all week and just wanted to say thank you for posting the packet capture.

Cory

Hello all,

We now have a bug filed for this issue. The bug id is CSCtl90408 and it is available via the CCO Bug Toolkit: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs.

You may review the bug and click on the "Save Bug" button at the bottom of the page to receive email updates as changes are made to the bug's state.

I'll update this thread if we make any milestone progress prior to resolving the issue.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

That bug ID isn't showing up in the Toolkit.

Hello tscislaw,

It will soon. The bug was written this morning and still has to go through review. You should see it in the next day or so.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: