Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Activity on Signature 31359/1

Is anyone else seeing a lot of alerts firing from legit sites for sig 31359/1?  I'm receiving them from Yahoo and Akamai as well as a few other sites.

Cory

Everyone's tags (6)
9 REPLIES
New Member

Re: Activity on Signature 31359/1

Yeah, we're seeing it fire on legit sites also. Began Friday when our IPS loaded the latest sig file.

New Member

Re: Activity on Signature 31359/1

This same signature was a problem back in November. We ended up disabling it. Looks like the new version has the same problem.

https://supportforums.cisco.com/message/3219364#3219364

Re: Activity on Signature 31359/1

Hello Pronet MSSP and tscislaw,

Would you be able to provide a packet capture of the legitimate traffic on which 31359/1 is firing? I will ask our signature team to review the data in the capture and test it against the new sub-signature.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

New Member

Re: Activity on Signature 31359/1

Blayne,

Attached is a packet capture from that signature event.

Tony M. Scislaw CISSP

Network Administrator

Kennedy Space Center Federal Credit Union

Merritt Island, Florida

tscislaw@kscfcu.org

www.kscfcu.org

321-456-5422

The information transmitted is intended only for the person or entity to

which it is addressed and may contain confidential and/or privileged

material. Any review, retransmission, dissemination or other use of, or

taking of any action in reliance upon, this information by persons or

entities other than the intended recipient is prohibited. If you received

this in error, please contact the sender and delete the material from any

computer.

Cisco Employee

Re: Activity on Signature 31359/1

Hi All,

This may be a recursive problem of signature 31359/0. TAC is still investigating the problem. We are analyzing the info of singular cases, captures and others.

Cheers.

Mike

Mike
New Member

Re: Activity on Signature 31359/1

I have been out of the office all week and just wanted to say thank you for posting the packet capture.

Cory

Re: Activity on Signature 31359/1

Hello all,

We now have a bug filed for this issue. The bug id is CSCtl90408 and it is available via the CCO Bug Toolkit: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs.

You may review the bug and click on the "Save Bug" button at the bottom of the page to receive email updates as changes are made to the bug's state.

I'll update this thread if we make any milestone progress prior to resolving the issue.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

New Member

Re: Activity on Signature 31359/1

That bug ID isn't showing up in the Toolkit.

Re: Activity on Signature 31359/1

Hello tscislaw,

It will soon. The bug was written this morning and still has to go through review. You should see it in the next day or so.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

979
Views
0
Helpful
9
Replies