Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

sig 5894 - subsig 0 -> false positives

I have a lot of fales positives of signature 5894 ("Storm Worm") in Subsignature 0 - especialy from host "static.ak.studivz.net".

The signatur definition is just looking for "Server: ngin" in HTTP downloads which is realy unspecific in my point of view.

What are you thinking about this signature ?

6 REPLIES
Cisco Employee

Re: sig 5894 - subsig 0 -> false positives

The s298 version of the signature will trigger on traffic from that sight. That sight runs nginx v0.5.10.

The s299 version of the same signature released August 28 will not as it more closely constrains the signature to the version of nginx associated with web servers hosting the various trojan binaries.

Gold

Re: sig 5894 - subsig 0 -> false positives

This signature is still susceptible to false positives and I have seen many. A fidelity rating of 90 is hardly accurate when all your doing is checking for a HTTP SERVER header that is used by a legitimate and freely available web server. Is there any way you could tighten it up by also checking the CONTENT TYPE?

Gold

Re: sig 5894 - subsig 0 -> false positives

Also, it appears that the 5894-0 has benign triggers caused by DNS queries. I haven't had an opportunity to get a trace, but queries from our mail server to our DNS server have triggered this signature.

New Member

Re: sig 5894 - subsig 0 -> false positives

We are seeing the same issue for 5894-1 on our DNS traffic. Given that the sig appears to simply look for one of several hex combos (regex = \xe3[\x0a-\x0f])occuring in any UDP session... it is not really unexpected that there will be quite a few 'random' triggers on DNS. As usual - the determination becomes whether to accept the 'noise' or filter. Our DNS hits are low enough that we chose to accept it as is.

New Member

Re: sig 5894 - subsig 0 -> false positives

By default it's configured to look at traffic on #WEBPORTS and 53/tcp and/or 53/udp is not part of the #WEBPORTS listing.

New Member

Re: sig 5894 - subsig 0 -> false positives

Hi,

I have noticed this also in my infrastructure.

DNS 53/tcp traffic between 2 Unix servers generates events for 5894.0.

I have opened TAC # 606829027 just before checking the forum...

162
Views
23
Helpful
6
Replies
CreatePlease to create content