5769-1 false positives

mhellman · ‎06-15-2006

This signature triggers on multipart/form-data POST argument values containing valid HTTP methods (GET,POST,DELETE,etc). This happens suprisingly often on the Internet.

evIdsAlert: eventId=1147308732612292092 vendor=Cisco severity=medium

originator:

hostId: 88-nsmc-c1

appName: sensorApp

appInstanceId: 12786

time: June 15, 2006 8:09:04 PM UTC offset=-300 timeZone=GMT-06:00

signature: description=Malformed HTTP Request id=5769 version=S231

subsigId: 1

sigDetails: Malformed HTTP Request

interfaceGroup:

vlan: 0

participants:

attacker:

addr: 162.131.154.58 locality=NETCACHE

port: 60736

target:

addr: 162.131.88.12 locality=INTERNAL

port: 80

context:

fromAttacker:

000000 6E 74 65 6E 74 2D 44 69 73 70 6F 73 69 74 69 6F ntent-Dispositio

000010 6E 3A 20 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 n: form-data; na

000020 6D 65 3D 22 70 6F 73 74 69 64 22 0D 0A 0D 0A 31 me="postid"....1

000030 31 35 30 34 30 31 32 37 31 0D 0A 2D 2D 2D 2D 2D 150401271..-----

000040 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------

000050 2D 2D 2D 2D 2D 2D 2D 2D 32 31 30 30 38 33 32 38 --------21008328

000060 38 35 39 38 0D 0A 43 6F 6E 74 65 6E 74 2D 44 69 8598..Content-Di

000070 73 70 6F 73 69 74 69 6F 6E 3A 20 66 6F 72 6D 2D sposition: form-

000080 64 61 74 61 3B 20 6E 61 6D 65 3D 22 74 79 70 65 data; name="type

000090 22 0D 0A 0D 0A 53 74 61 6E 64 61 72 64 0D 0A 2D "....Standard..-

0000A0 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------

0000B0 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 32 31 30 30 ------------2100

0000C0 38 33 32 38 38 35 39 38 0D 0A 43 6F 6E 74 65 6E 83288598..Conten

0000D0 74 2D 44 69 73 70 6F 73 69 74 69 6F 6E 3A 20 66 t-Disposition: f

0000E0 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 orm-data; name="

0000F0 73 75 6D 6D 61 72 79 22 0D 0A 0D 0A 50 6F 73 74 summary"....Post

riskRatingValue: 51

interface: ge0_1

protocol: tcp

rupadras · ‎06-15-2006

We are actively working on this. Unfortunately, the alert above does not give us the complete information needed to idenfity the problem with the signature. If you could send us a traffic sample, that would be very helpful to us.

Thanks,

Radhika

mhellman · ‎06-15-2006

I don't believe I have a trace (I'll verify tomorrow), but I can get one easy enough. The act of adding an attachment to a post in one of these forums with a keyword of "Post" (or Get or Delete, etc) should trigger it.

mhellman · ‎06-16-2006

The attached pcap file contains the relevant post which triggered this alarm:

evIdsAlert: eventId=1136142973381638834 vendor=Cisco severity=medium

originator:

hostId: 26-fw-dmz-c1

appName: sensorApp

appInstanceId: 13368

time: June 16, 2006 12:22:58 PM UTC offset=-300 timeZone=GMT-06:00

signature: description=Malformed HTTP Request id=5769 version=S231

subsigId: 1

sigDetails: Malformed HTTP Request

interfaceGroup:

vlan: 0

participants:

attacker:

addr: 206.195.195.108 locality=NETCACHE_EXT_IP

port: 6884

target:

addr: 204.69.199.39 locality=ANY

port: 80

actions:

ipLoggingActivated: true

logPairPacketsActivated: true

context:

fromAttacker:

000000 09 00 3C 00 00 00 3C 00 00 00 00 00 5E 00 01 66 ..<...<.....^..f

000010 00 0F 20 6C 99 8B 08 00 45 00 00 28 B3 40 40 00 .. l....E..(.@@.

000020 80 06 21 6A CE C3 C6 74 CE C3 C2 29 01 BB 0D 13 ..!j...t...)....

000030 98 10 06 29 30 48 0F 58 50 04 00 00 9D 13 00 00 ...)0H.XP.......

000040 00 00 00 00 00 00 84 9A 5F 44 E4 C7 09 00 3C 00 ........_D....<.

000050 00 00 3C 00 00 00 00 00 5E 00 01 66 00 0F 20 6C ..<.....^..f.. l

000060 99 8B 08 00 45 00 00 28 B3 41 00 00 80 06 61 69 ....E..(.A....ai

000070 CE C3 C6 74 CE C3 C2 29 01 BB 0D 13 98 10 06 29 ...t...).......)

000080 98 10 06 29 50 04 00 00 3E 7A 00 00 00 00 00 00 ...)P...>z......

000090 00 00 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ....------------

0000A0 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ----------------

0000B0 2D 32 34 30 34 33 32 39 37 37 38 32 37 38 31 34 -240432977827814

0000C0 0D 0A 43 6F 6E 74 65 6E 74 2D 44 69 73 70 6F 73 ..Content-Dispos

0000D0 69 74 69 6F 6E 3A 20 66 6F 72 6D 2D 64 61 74 61 ition: form-data

0000E0 3B 20 6E 61 6D 65 3D 22 66 69 6C 65 64 65 73 63 ; name="filedesc

0000F0 72 69 70 74 69 6F 6E 22 0D 0A 0D 0A 50 6F 73 74 ription"....Post

ipLogIds:

ipLogId: 1701737422

riskRatingValue: 51

interface: ge0_0

protocol: tcp

mhellman · ‎06-16-2006

Had to re-attach file.

craiwill · ‎06-16-2006

I've identified the problem. To resolve this false positive you can add a max inspect length (or max match offset for 5.x users) of 10. This will be resolved in the next signature update.

Thanks,

Craig

MARK BAKER · ‎06-30-2006

I attempted to apply the fix you had supplied, but ran into something odd. Can you see if you can explain this?

Using CS-Manager / IPS manager, I selected to tune the signature in question and found that it was already set at max inspect length of 10. The drop down menu at the top of the tunning page shows S236 for the signature, but I am only running S232. I do have auto download configured and do have the S236 signature on the CS-Manager server, but not on my sensor. Is there anyway to tune the S232 version of the signature in this situation?

Thanks,

Mark

MARK BAKER · ‎06-30-2006

I was able to tune the S231 version of the signature by going to the individual sensors instead of the global group like I had tried to do in the first attempt. Luckily I only have two sensors to tune.

Note: I would have expected to see all versions of the signature in the drop down menu that shows up for tuning under the global settings.

Thanks,

Mark

wsulym · ‎06-30-2006

You could tune it directly on the sensor via IDM. https://

Click on "Signature Configuration" under "Signature Definition" on the left hand side TOC. Find the sig in the table then click the edit button.