Activity on Signature 31359/1

Unanswered Question
Jan 22nd, 2011

Is anyone else seeing a lot of alerts firing from legit sites for sig 31359/1?  I'm receiving them from Yahoo and Akamai as well as a few other sites.

Cory

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
tscislaw_2 Mon, 01/24/2011 - 11:16

Yeah, we're seeing it fire on legit sites also. Began Friday when our IPS loaded the latest sig file.

Christopher Dreier Tue, 01/25/2011 - 07:52

Hello Pronet MSSP and tscislaw,

Would you be able to provide a packet capture of the legitimate traffic on which 31359/1 is firing? I will ask our signature team to review the data in the capture and test it against the new sub-signature.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

tscislaw_2 Tue, 01/25/2011 - 09:05

Blayne,

Attached is a packet capture from that signature event.

Tony M. Scislaw CISSP

Network Administrator

Kennedy Space Center Federal Credit Union

Merritt Island, Florida

tscislaw@kscfcu.org

www.kscfcu.org

321-456-5422

The information transmitted is intended only for the person or entity to

which it is addressed and may contain confidential and/or privileged

material. Any review, retransmission, dissemination or other use of, or

taking of any action in reliance upon, this information by persons or

entities other than the intended recipient is prohibited. If you received

this in error, please contact the sender and delete the material from any

computer.

mayrojas Tue, 01/25/2011 - 18:25

Hi All,

This may be a recursive problem of signature 31359/0. TAC is still investigating the problem. We are analyzing the info of singular cases, captures and others.

Cheers.

Mike

PronetMSSP Thu, 01/27/2011 - 07:01

I have been out of the office all week and just wanted to say thank you for posting the packet capture.

Cory

Christopher Dreier Thu, 01/27/2011 - 07:35

Hello all,

We now have a bug filed for this issue. The bug id is CSCtl90408 and it is available via the CCO Bug Toolkit: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs.

You may review the bug and click on the "Save Bug" button at the bottom of the page to receive email updates as changes are made to the bug's state.

I'll update this thread if we make any milestone progress prior to resolving the issue.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

Christopher Dreier Thu, 01/27/2011 - 14:07

Hello tscislaw,

It will soon. The bug was written this morning and still has to go through review. You should see it in the next day or so.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

Actions

Login or Register to take actions

This Discussion

Posted January 22, 2011 at 10:43 AM
Stats:
Replies:9 Avg. Rating:
Views:822 Votes:0
Shares:0
Tags: signature, ips, alert, ids, aip, sig
+

Related Content

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
5
5
5
5