Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

S256 sig 5170 -- *thousands* of FPs

Thousands and thousands... apparently firing on nulls outside of uricontent. ASA5540/AIP-SSM20s. 5.1(3)S256.0.

16 REPLIES
New Member

Re: S256 sig 5170 -- *thousands* of FPs

I'm seeing "dozens" of "Null Byte in HTTP Requests" when certain users access their web-based email.

Have you heard from Cisco regarding?

Silver

Re: S256 sig 5170 -- *thousands* of FPs

Is anybody else seeing crashes related to this sig update? S256 crashed several of our sensors just after updating. P.O.S.

Silver

Re: S256 sig 5170 -- *thousands* of FPs

Also forgot to mention that we saw upwards of 14 thousand hits on this signature in under an hour from about 8 sensors. We couldn't disable it fast enough...

New Member

Re: S256 sig 5170 -- *thousands* of FPs

No crashes - yet. Our load is low on our 4240. If I do crash, I'll post it.

New Member

Re: S256 sig 5170 -- *thousands* of FPs

No crashes yet. But we did have a problem with a number of sensors after they received S255. It looks like the default signature set is getting too big - I now have to tune and disable a number of signatures just so the hardware can cope.

New Member

Re: S256 sig 5170 -- *thousands* of FPs

Several of our sensors hung during the S256 upgrade too. Actually we aborted the update due to it.

Last line in /usr/cids/idsRoot/var/updates/logs/install.log was:

Sending signature edc.

Same for you?

Cisco Employee

Re: S256 sig 5170 -- *thousands* of FPs

I'll assume its the -1 subsig. Can you flip verbose alert on for that sig, and provide us some of the alerts w/ verbose output. Thanks.

New Member

Re: S256 sig 5170 -- *thousands* of FPs

Sent you several in offline email.

Gold

Re: S256 sig 5170 -- *thousands* of FPs

Did Cisco ever figure this out? At least in our case, it seems to be caused by binary data in a HTTP POST. See attached for a snippet (sorry, that's all I feel comfortable giving).

New Member

Re: S256 sig 5170 -- *thousands* of FPs

Is there any update to this thread? We are also seeing thousands of events that appear to be false positives.

New Member

Re: S256 sig 5170 -- *thousands* of FPs

99% of the false positives I saw were from yahoo messengar notifications.

Silver

Re: S256 sig 5170 -- *thousands* of FPs

I would just do what we did; disable it across the board since it is obviously bogus.

New Member

Re: S256 sig 5170 -- *thousands* of FPs

Got alerts from CSM stating that "the sensor reports that it is running low on resources." Measure of resource utilization on the virtual sensor was 22. After disabling 5170 it's down to 0.

Cisco Employee

Re: S256 sig 5170 -- *thousands* of FPs

I just picked the last in this thread to respond too. 5170-1 is very much like 5171-0, it's looking for the exact same thing except in the arguments instead of the URI. We are still working with the engine developers, but you can turn the sig off until the new version is released, or edit the signature and set de-obfuscate to "false". The change to the signature in the upcoming release will be the deobfuscation change. Even with the change, this signature will still fire on BitTorrent traffic, as it normally has nulls embedded in the arguments, however in this case it would be a benign trigger and not a false positive since the signature only looks for the embedded null, and that occurs "naturally" in BitTorrent traffic.

New Member

Re: S256 sig 5170 -- *thousands* of FPs

Hello All,

Does anyone know if 5170 was fixed in

IPS v5.1-4 or in IPS v6?

Thanks-

Cisco Employee

Re: S256 sig 5170 -- *thousands* of FPs

The false positive issue with 5170-1 was addressed in sig update s260. The major OS version doesn't matter here, just the sig update level - so S260+ has the fixed signature.

293
Views
0
Helpful
16
Replies