Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS Tuning - Example Windows SMTP Overflow 5561

I have recently deployed a couple of IPS sensors. The sensor alarmed on sig 5561/0 (Windows SMTP Overflow).

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5561&signatureSubId=0&softwareVersion=6.0&releaseVersion=S339

From the link, the signature was updated in June 2008. The CVE is dated 2004 and Microsoft issued patches in 2004. Why is Cisco updating signatures for 4 year old vulnerabilities?

Is this latest release/update for a new vulnerability?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPS Tuning - Example Windows SMTP Overflow 5561

It was not a new vulnerability. The updated signature released in S339 coincides with the E2 engine release. 5561-0 is a meta-engine signature and the "update" that was done at the S339 release was to explicitly set a "all components required" flag to true.

Any change that changes the signature xml results in a revision/update.

Hope that helps.

1 REPLY
Cisco Employee

Re: IPS Tuning - Example Windows SMTP Overflow 5561

It was not a new vulnerability. The updated signature released in S339 coincides with the E2 engine release. 5561-0 is a meta-engine signature and the "update" that was done at the S339 release was to explicitly set a "all components required" flag to true.

Any change that changes the signature xml results in a revision/update.

Hope that helps.

291
Views
0
Helpful
1
Replies