I'm seeing "dozens" of "Null Byte in HTTP Requests" when certain users access their web-based email.
Have you heard from Cisco regarding?
Also forgot to mention that we saw upwards of 14 thousand hits on this signature in under an hour from about 8 sensors. We couldn't disable it fast enough...
No crashes yet. But we did have a problem with a number of sensors after they received S255. It looks like the default signature set is getting too big - I now have to tune and disable a number of signatures just so the hardware can cope.
Several of our sensors hung during the S256 upgrade too. Actually we aborted the update due to it.
Last line in /usr/cids/idsRoot/var/updates/logs/install.log was:
Sending signature edc.
Same for you?
I'll assume its the -1 subsig. Can you flip verbose alert on for that sig, and provide us some of the alerts w/ verbose output. Thanks.
Got alerts from CSM stating that "the sensor reports that it is running low on resources." Measure of resource utilization on the virtual sensor was 22. After disabling 5170 it's down to 0.
I just picked the last in this thread to respond too. 5170-1 is very much like 5171-0, it's looking for the exact same thing except in the arguments instead of the URI. We are still working with the engine developers, but you can turn the sig off until the new version is released, or edit the signature and set de-obfuscate to "false". The change to the signature in the upcoming release will be the deobfuscation change. Even with the change, this signature will still fire on BitTorrent traffic, as it normally has nulls embedded in the arguments, however in this case it would be a benign trigger and not a false positive since the signature only looks for the embedded null, and that occurs "naturally" in BitTorrent traffic.
The false positive issue with 5170-1 was addressed in sig update s260. The major OS version doesn't matter here, just the sig update level - so S260+ has the fixed signature.