Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

New sig 5757 - Outlook cross-site scripting - lots of FPs

Receiving lots of apparent FPs for 5757. I don't see any nulls (encoded or otherwise) in the payload, and it's flagging a chunk of an SMTP conversation.

Example logged payload included.

23 REPLIES
Gold

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

It seems that perhaps a particular piece of SPAM or virus generated email is triggering these alarms? I'm seeing LOTS of sources, but the content is similar:

evIdsAlert: eventId=1135862749444282610 vendor=Cisco severity=medium

originator:

hostId: 01-evlan-c1

appName: sensorApp

appInstanceId: 16749

time: June 14, 2006 7:56:31 PM UTC offset=-300 timeZone=GMT-06:00

signature: description=Microsoft Exchange Server Cross-Site Scripting id=5757 version=S232

subsigId: 0

sigDetails: Microsoft Exchange Server Cross-Site Scripting

interfaceGroup:

vlan: 0

participants:

attacker:

addr: 82.125.81.103 locality=ANY

port: 4628

target:

addr: 206.195.196.20 locality=GREEN_HOSTING

port: 25

context:

fromTarget:

fromAttacker:

000000 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F ________________

000010 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 3C _______________<

000020 42 52 3E 54 6F 20 63 68 61 6E 67 65 20 79 6F 75 BR>To change you

000030 72 20 3D 0D 0A 6D 61 69 6C 3D 32 30 0D 0A 20 20 r =..mail=20..

000040 20 20 20 20 70 72 65 66 65 72 65 6E 63 65 73 2C preferences,

000050 20 67 6F 20 3C 41 20 3D 0D 0A 68 72 65 66 3D 33 go

000060 44 22 68 74 74 70 3A 2F 2F 31 32 31 2E 69 2D 61 D"http://121.i-a

000070 6D 2D 68 61 70 70 79 2E 6E 65 74 2F 72 6D 2F 22 m-happy.net/rm/"

000080 3E 68 65 72 65 3C 2F 41 3E 0D 0A 20 20 20 20 20 >here..

000090 20 3C 50 3E 3C 2F 50 3E 3C 2F 54 44 3E 3C 2F 54

0000A0 52 3E 3C 2F 54 42 4F 44 59 3E 3C 2F 54 41 42 4C R>

0000B0 45 3E 3C 2F 43 45 4E 54 45 52 3E 3C 2F 42 4F 44 E>

0000C0 59 3E 3C 2F 48 54 4D 4C 3E 0D 0A 0D 0A 0D 0A 2D Y>......-

0000D0 2D 2D 2D 2D 2D 3D 5F 4E 65 78 74 50 61 72 74 5F -----=_NextPart_

0000E0 30 30 30 5F 30 30 30 30 5F 39 36 32 46 34 39 31 000_0000_962F491

0000F0 35 2E 39 35 31 41 34 39 33 35 2D 2D 0D 0A 0D 0A 5.951A4935--....

riskRatingValue: 30

interface: ge0_0

protocol: tcp

Gold

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

attached is a trace and the corresponding alarm.

Cisco Employee

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

Thank you for reporting the false positives to us. We are looking into this. We will update you soon.

Community Member

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

Is it appropriate to report FPs here?

It seems a little overkill opening a TAC case for each one, but wasn't sure what was appropriate.

Gold

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

I do all the time. The IPS forum seems like the perfect place to talk about false positives...they effect us all. There are a couple Cisco signature engineers that frequent here. It may not be appropriate but it seems as effective as opening a TAC case and a heck of a lot less painful.

Cisco Employee

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

We (signature team) watch the forum... this is a great place to bring up FPs. Since it's usually direct to us, it can be addressed a little quicker.

In cases where we may need to see a traffic sample, all of us have PGP keys out there, so you can encrypt and send... someone off the team will make it a point to include an/their email address, and you can pull the key that way.

No problem posting it here ... it ends up in our hands either way.

Cisco Employee

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

We have identified the problem and are working on the fix. The modified signature will be released in S234.

Community Member

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

Still seem to be issues with this signature, context:

3gUINCg==..

----7610725449481671369--

.

250 Ok: queued as 8122051E4A

QUIT

221 Bye

Cisco Employee

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

I'll assume you are running at least s234 based on the reply... If this is happening on a frequent basis, can you clip and send us the entire alert context (including the hex dump displayed). You can email directly to me wsulym@cisco.com. You can also PGP encrypt it if you'd like.

Community Member

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

yes, s235.

I've emailed the pcap.

Community Member

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

Any updates on this? I'm seeing over 10k events.

Community Member

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

I sent a few pcaps to Cisco/wsulym. He confirmed them as false positives. But since they looked suspect (probably spam emails) it is unlikely that there will be an update for the signature.

There is another thread with a similar problem:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddb8484

I'd really like to see more quality signatures based on the actual exploit and less based on protocol abnormalies.

Cisco Employee

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

There is something in the works for this, but I need to verify that the change won't introduce a false negative.

Community Member

Re: New sig 5757 - Outlook cross-site scripting - lots of FPs

It's been a month. Any news?

242
Views
0
Helpful
23
Replies
CreatePlease to create content