Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Signature 41846/1 matches on Adobe Site

Hi, today I've been noticing that a new signature 41846/1 started matching on differents IPs belonging to

Adobe Systems Inc.  or ThePlanet.com Internet Services, Inc.

Here I post some event detected by the IPS:

Severity

Date


Time

Sig. Name

Sig. ID

Attacker   IP

Victim   IP

Vicitm   Port

Threat   Rating

Risk   Rating

High

02/15/2012

08:56:26

Generic   Cross Site Scripting Attack

41846/1

1.2.3.4

66.235.132.152

80

60

95

High

02/15/2012

08:56:27

Generic   Cross Site Scripting Attack

41846/1

1.2.3.4

66.235.134.160

80

60

95

High

02/15/2012

08:56:27

Generic   Cross Site Scripting Attack

41846/1

1.2.3.4

66.235.139.121

80

60

95

High

02/15/2012

09:00:38

Generic   Cross Site Scripting Attack

41846/1

1.2.3.4

66.235.132.152

80

60

95

High

02/15/2012

09:00:38

Generic   Cross Site Scripting Attack

41846/1

1.2.3.4

66.235.134.160

80

60

95

The attacker IP "1.2.3.4. would be the proxy's IP.

Analyzing the proxy's log, I've seen that a lot of different computers from my network are trying to reach Adobe's sites to download a new version or update, i.e.:

GET   http://swupmf.adobe.com/manifest/50/win/AdobeUpdater.upd HTTP/1.1

GET   http://armmf.adobe.com/arm-manifests/win/Reader9Manifest.msi HTTP/1.1

GET   http://armdl.adobe.com/pub/adobe/reader/win/9.x/9.5.0/es_ES/AdbeRdr950_es_ES.exe   HTTP/1.1

So my first question is why the attempt to reach Adobe's site is matching an IPS signature related to a Cross Site Scripting attempt.

As I've reasearched, signature 41846/1 has been released in order to attend CVE-2012-0017: "Cross-site scripting (XSS) vulnerability in inplview.aspx in Microsoft SharePoint Foundation 2010 Gold and SP1 allows remote attackers to inject arbitrary web script or HTML via JavaScript sequences in a URL, aka "XSS in inplview.aspx Vulnerability."

Then, my second question would be how is Adobe's site related to CVE-2012-0017

Thanks.

Regards, Dana

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Signature 41846/1 matches on Adobe Site

Hi Dana,

You and I must have been posting at the same time.  We noticed an issue with this signature on one of our sensor's this morning after S625 was applied.  The "attacker" addresses are all internal and the "target" addresses are all over the board, some internal and some external.  I had to disable this because it was triggering so often, 128 times in the last hour alone.  Hopefully the Cisco folks can take a look at this and release an update soon.

10 REPLIES
Community Member

Signature 41846/1 matches on Adobe Site

Hi Dana,

You and I must have been posting at the same time.  We noticed an issue with this signature on one of our sensor's this morning after S625 was applied.  The "attacker" addresses are all internal and the "target" addresses are all over the board, some internal and some external.  I had to disable this because it was triggering so often, 128 times in the last hour alone.  Hopefully the Cisco folks can take a look at this and release an update soon.

Community Member

Signature 41846/1 matches on Adobe Site

You're right, we have the same (or similar) issue.

I haven't disabled it yet, because the signature is  just dropping the packets (because of the configuration we have).

Anyway, I do want to know if this is a false positive or not..

In case it keeps matching a lot of events, I will probably disable it.

Community Member

Signature 41846/1 matches on Adobe Site

I am seeing it to, across many sites though not just Adobe. I had to disable it because it was firing too much. I am treating it as a false positive by a bad signiture.

Community Member

Signature 41846/1 matches on Adobe Site

Thanks, Jason, for you post.

In my case, there are some pick hours in which this signatures fires, so I think I'll monitor it a couple hours more, and if it keeps on firing I'll just have to disable it.

Community Member

Signature 41846/1 matches on Adobe Site

Seeing it too:

sig_id=41846

Sig_name=Generic Cross Site Scripting Attack

Sig_version=s625

Most of the "victim" IPs are to Adobe Systems.

Cisco Employee

Signature 41846/1 matches on Adobe Site

We are looking into this issue. The signature will be updated asap.

Community Member

Signature 41846/1 matches on Adobe Site

Same thing happened to us, but it was reporting the victim as an IP address belonging to Webtrendslive.com

Interestingly this coincided with us going from promiscuous mode to inline mode.  When we did switch to inline mode it started blocking these packets (and I also had block attacker enabled), and this completely blocked Internet access for these users.  About 13 out of 180. Unchecking the "Deny packet inline" and "Deny Attacker Inline" did not give these users Internet access.  We eventually had to Shut down the sensor so they could get back on the Internet.  What a hassle.

Is there a way to have changes applied in Event Action Overrides to happen right away?  Is this normal?

Cisco Employee

Signature 41846/1 matches on Adobe Site

As you may have noticed, the signature was updated in S626 released last night. Hopefully, that resolves the issues you were facing. If you need any further assistance, please let us know or open a TAC case.

Community Member

Signature 41846/1 matches on Adobe Site

Yes. I've noticed it.

Problem is now solved, with the signature retired.

thanks

Community Member

Signature 41846/1 matches on Adobe Site

Received signature 626, and it has resolved the Generic Cross Site Scripting Attack alerts here.

On a similiar note, Adobe released the following on 15 Feb 2012:

http://www.adobe.com/support/security/bulletins/apsb12-03.html

Thanks

Frank

1974
Views
0
Helpful
10
Replies
CreatePlease to create content