Anyone having issues with Signature 41846/1?

JonPBerbee · ‎02-15-2012

S625 got applied to one of our IDS sensors this morning and 41846/1 is firing like crazy. The Attacker IPs are all internal IPs and all over the board, not just one or two different IPs. Some of the targets are internal and some are external. Just wondering if anyone else has noticed this in their environment.

dmcalbosa88 · ‎02-15-2012

Yes, I've noticed a lot of matches of that siganture.

The difference in my case is that Attacker IP always is our web proxy, and targets are in most cases Adobe's sites or sites belonging to ThePlanet.com Internet Services, Inc.

jason.giambrone · ‎02-15-2012

I am seeing it too. Just started yesterday right after a signiture update. I had to disable the sig because it was firing so much. Freaked me out at first. I checked the IPs is was reporting on and none of them were of bad reputation. In my case, we would have internal IPs attempting contact to an external address which varied quite a bit. Wish Cisco would vet these better.

tscislaw_2 · ‎02-15-2012

Same here. Legitimate traffic being flagged. I've disabled this sig for now.

CyprusIPS · ‎02-15-2012

Anyone have an update on this?? We are seeing the same thing and it is worse today than yesterday.

hoyleanderson · ‎02-15-2012

It blew up on us. Packet captures look like it's matching on any(?) aspx. Disabled/filtered it. Signature needs to be fixed!

rupadras · ‎02-15-2012

yes, we are looking into this issue. The signature will be updated asap.

deeznuts420 · ‎02-15-2012

Yep, same issue over here. Thanks to rupadras for noting a fix is in the works.

rupadras · ‎02-16-2012

As you may have noticed, the signature was updated in S626 released last night.