02-15-2012 06:40 AM - edited 03-10-2019 05:37 AM
S625 got applied to one of our IDS sensors this morning and 41846/1 is firing like crazy. The Attacker IPs are all internal IPs and all over the board, not just one or two different IPs. Some of the targets are internal and some are external. Just wondering if anyone else has noticed this in their environment.
02-15-2012 06:51 AM
Yes, I've noticed a lot of matches of that siganture.
The difference in my case is that Attacker IP always is our web proxy, and targets are in most cases Adobe's sites or sites belonging to ThePlanet.com Internet Services, Inc.
02-15-2012 06:58 AM
I am seeing it too. Just started yesterday right after a signiture update. I had to disable the sig because it was firing so much. Freaked me out at first. I checked the IPs is was reporting on and none of them were of bad reputation. In my case, we would have internal IPs attempting contact to an external address which varied quite a bit. Wish Cisco would vet these better.
02-15-2012 08:24 AM
Same here. Legitimate traffic being flagged. I've disabled this sig for now.
02-15-2012 08:24 AM
Anyone have an update on this?? We are seeing the same thing and it is worse today than yesterday.
02-15-2012 09:19 AM
It blew up on us. Packet captures look like it's matching on any(?) aspx. Disabled/filtered it. Signature needs to be fixed!
02-15-2012 09:38 AM
yes, we are looking into this issue. The signature will be updated asap.
02-15-2012 10:27 AM
Yep, same issue over here. Thanks to rupadras for noting a fix is in the works.
02-16-2012 02:46 PM
As you may have noticed, the signature was updated in S626 released last night.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide