Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DHL-USA.com <P>Microsoft Internet Explorer Method Parameter Validation Vuln

I just started receiving this message today whenever a user accesses the DHL website.

199.41.238.32/0 --> 10.30.99.18/0 TCP <P>Microsoft Internet Explorer Method Parameter Validation Vulnerability</P>,NR-7427/0,Time:1229629119,Risk Rating:100,VLAN:0,Action:sd:droppedPacket cid:deniedFlow cid:tcpOneWayResetSent

Is this implying that the DHL-USA website has been compromised by the recent IE vulnerablility?

4 REPLIES
Silver

Re: DHL-USA.com <P>Microsoft Internet Explorer Method Parameter

Traffic from web server was hitting event action over ride and adding a block. Make effect action filter that was tuned to remove the block and everything will work.

New Member

Re: DHL-USA.com <P>Microsoft Internet Explorer Method Parameter

Also been seeing these recently here. The trigger packets on the IPS all appear to be Javascript related. However, since we can't view the regex in the sig, it's difficult to determine what exaactly the sig is firing on.

Masked regex's in the sigs are really a huge pain, it makes determining false positives much more difficult.

New Member

Re: DHL-USA.com <P>Microsoft Internet Explorer Method Parameter

Could you confirm the Signature ID so that we can look into this further ?

New Member

Re: DHL-USA.com <P>Microsoft Internet Explorer Method Parameter

I too can confirm 7427/0 on DHL sites.

A Cisco Security Center search on the signature still finds that, "There are no known benign triggers."

Can Cisco look into this?

426
Views
0
Helpful
4
Replies