This is a brand new signature, that I have not seen before, with little info available, other than a few lines in Cisco MySDN.
It states that;
"This signature fires upon detecting an Internet Explorer Zone Bypass exploit, using Media Player to silently execute a Windows Media Advanced Systems Format (ASF) file in the Local Zone of the vulnerable system.
IOS not supported.
There are no known benign triggers".
I have tried researching the normal channels, google, MySDN and this forum.
Has anyone got any additional info about the cause and efect of this alert?
I have been discussing this with my colleagues and I am going to raise a TAC case. It seems to be the general consensus that any signature that fires with only a source IP (1-way)is a problem. I used to think that this was how it was, and that some signatures, by default don't display a destination IP. I am beginning to think that this might be a bug of sorts??
How can we effectively report to our clients, network activity without a destination?
Signature 5498-0 is a meta signature with two sub-components, signatures 5500-0 and 5501-0. Their descriptions follow.
This signature fires upon detecting an Internet Explorer Zone Bypass exploit, using Media Player to silently execute a Windows Media Advanced Systems Format (ASF) file in the Local Zone of the vulnerable system.
This signature fires upon detecting ActiveX ADODB stream in return HTTP traffic.
This signature is a component of meta-signature 5498-0 and has no event-actions of its own defined.
The vulnerability itself is addressed by MS03-040.
What the signatures look for as a whole is return web traffic indicating the execution of an .asp file and an ActiveX object of type ADODB Stream.
You can read more about this vulnerability at the following links:
Just as a little more detail... 5498-0, the ip address presented in the alert, is the source web server, serving what is possibly a malicious file. Now I (and this is a personal opinion) wouldn't care about the victim, since the victim is the client connecting to the web server. Your opinion on that may be different, and it appears to be, since you do want that information. That's an easy change, edit the signature and change the meta-key to AxBx (attacker & victim addresses) - now your alert will contain the attacker (which would be the server) and the victim (which is the client making that connection).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...