Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Signature 31020 appears to be alerting to a massive amount of false positives

Has anyone else ran into an issue with sig 31020 alerting to false positives?

7 REPLIES
New Member

Re: Signature 31020 appears to be alerting to a massive amount o

Hi. I see the same situation in my LAN environment especialy between Windows Servers. No information about possible benign triggers. It's a fresh signatue (S527) so I guess a little tuning from Cisco can be expected.

Best regards,

Marko

New Member

Re: Signature 31020 appears to be alerting to a massive amount o

Thank you for the reply.  Hopefully they tune it sooner than later.  We're getting way too many alerts.

-Cory

Cisco Employee

Re: Signature 31020 appears to be alerting to a massive amount o

It is very important to check if this traffic is matching agains the signature. Take a packet capture of the traffic and share it with us so we can check if the signature is being triggered for no reason.

Cheers

Mike.

Mike
New Member

Re: Signature 31020 appears to be alerting to a massive amount o

Hi,

Maykol.

I'm attaching two captured flows(log pair command on IPS) which triggered alarm 31020.

Best regards,

Marko

Cisco Employee

Re: Signature 31020 appears to be alerting to a massive amount o

Marko,

Thanks for the packet capture, I was taking a look at them and I found out that in Frame 36 on capture sig31020-1 the user given is (/) which may be considered a Null username by the IPS, is there a reason as of why users are being logged as (/) ?

Here is the link that explains about the signature

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=31020&signatureSubId=0

Let me know.

Cheers.

Mike

Mike
New Member

Re: Signature 31020 appears to be alerting to a massive amount o

Thank you for your answer.

I really don't know the answer. I'll try to find out the reason for this but I have not much hope to find the answer.

Best regards,

Marko

New Member

Re: Signature 31020 appears to be alerting to a massive amount o

This fires all the time for us now.  Cisco reports that this sig replaced sig 5577/1.  5577/1 has almost never fired on us.  Now 31020 fires from hundreds of sources each day.

What changed from 5577/1 to 31020/0?

Is Cisco looking into this?

412
Views
3
Helpful
7
Replies
CreatePlease to create content