5829-0 false positives

Unanswered Question
Dec 22nd, 2006
User Badges:
  • Blue, 1500 points or more

Outbound Internet traffic through our HTTP proxy is triggering this sig. below is a trigger packet. We've seen about 50 of these in the last 2 hours.


evIdsAlert: eventId=1152199463829252123 vendor=Cisco severity=medium

originator:

hostId: hostname

appName: sensorApp

appInstanceId: 20616

time: December 22, 2006 3:32:53 PM UTC offset=-360 timeZone=GMT-06:00

signature: description=Microsoft SSL DoS id=5829 version=S263

subsigId: 0

sigDetails: Microsoft SSL DoS

interfaceGroup:

vlan: 0

participants:

attacker:

addr: 192.168.1.1 locality=PROXY_EXT_IP

port: 50439

target:

addr: 208.215.237.156 locality=ANY

port: 443

triggerPacket:

000000 00 00 5E 00 01 65 00 17 0F 0B 17 00 08 00 45 00 ..^..e........E.

000010 00 71 83 92 40 00 3F 06 67 55 CE C3 C3 67 D0 D7 .q..@.?.gU...g..

000020 ED 9C C5 07 01 BB 51 7F 93 2C 30 66 D8 1D 80 18 ......Q..,0f....

000030 44 70 68 88 00 00 01 01 08 0A 45 10 90 67 1F 48 Dph.......E..g.H

000040 C5 13 16 03 00 00 38 01 9D CB 06 99 C9 F4 94 F9 ......8.........

000050 ED 54 42 F3 19 73 FC F8 BA F1 A5 0B B1 AD 02 C6 .TB..s..........

000060 F4 FD AF 26 71 66 2B 5B A2 05 97 91 4A 22 CF E9 ...&qf+[....J"..

000070 78 74 13 AC 2B AB B8 54 C5 4E E0 6C CC 36 E8 xt..+..T.N.l.6.


riskRatingValue: 48

interface: ge0_0

protocol: tcp


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
craiwill Fri, 12/22/2006 - 09:58
User Badges:
  • Cisco Employee,

We're looking into this issue. Would it be possible to provide a verbose alert for this signature? The signature is designed to detect ssl v3 packets in which the size does not match up with the declared ssl field sizes; I'll need more of the packet to verify the problem.

craiwill Fri, 12/22/2006 - 10:13
User Badges:
  • Cisco Employee,

We're looking into this issue. Would it be possible to provide a verbose alert for this signature? The signature is designed to detect ssl v3 packets in which the size does not match up with the declared ssl field sizes; I'll need more of the packet to verify the problem.

Actions

This Discussion