02-22-2006 11:10 AM - edited 03-10-2019 01:54 AM
Are there any known false positives for this signature?
evIdsAlert: eventId=1135904534516778471 vendor=Cisco severity=high
originator:
hostId: 27-fw-dmz-c1
appName: sensorApp
appInstanceId: 346
time: February 22, 2006 12:51:20 PM UTC offset=-360 timeZone=GMT-06:00
signature: description=Macromedia Flash Overflow id=5692 version=S200
subsigId: 0
sigDetails: Macromedia Flash Overflow
interfaceGroup:
vlan: 0
participants:
attacker:
addr: 209.152.119.251 locality=ANY
port: 80
target:
addr: 206.195.195.108 locality=NETCACHE_EXT_IP
port: 63921
context:
fromAttacker:
000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000070 00 00 00 00 00 00 00 00 00 FF D8 FF DB 00 C5 00 ................
000080 0B 07 08 09 08 07 0B 09 09 09 0C 0B 0B 0D 10 1A ................
000090 11 10 0F 0F 10 20 17 18 13 1A 26 22 28 28 26 22 ..... ....&"((&"
0000A0 25 24 2A 30 3D 33 2A 2D 39 2E 24 25 35 48 35 39 %$*0=3*-9.$%5H59
0000B0 3F 41 44 45 44 29 33 4B 50 4A 42 4F 3D 43 44 41 ?ADED)3KPJBO=CDA
0000C0 01 0B 0C 0C 10 0E 10 1F 11 11 1F 41 2C 25 2C 41 ...........A,%,A
0000D0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0000E0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0000F0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02-23-2006 06:46 AM
According to the MySDN site, there are "no known benign triggers":
http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=5692&signatureSubId=0
03-08-2006 02:11 PM
I am getting quite a few false positives as well. My external webserver hosts up a flash file on one of our sites. Whenever someone requests that page, and the webserver serves up the .swf file, this signature fires.
I've been trying to figure out what is causing it to fire, myself, and am not getting anywhere.
fromAttacker:
000000 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000010 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000050 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000060 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
000070 FF FF FF FF FF FF FF FF FF FF D8 FF DB 00 C5 00 ................
000080 0B 07 08 09 08 07 0B 09 09 09 0C 0B 0B 0D 10 1A ................
000090 11 10 0F 0F 10 20 17 18 13 1A 26 22 28 28 26 22 ..... ....&"((&"
0000A0 25 24 2A 30 3D 33 2A 2D 39 2E 24 25 35 48 35 39 %$*0=3*-9.$%5H59
0000B0 3F 41 44 45 44 29 33 4B 50 4A 42 4F 3D 43 44 41 ?ADED)3KPJBO=CDA
0000C0 01 0B 0C 0C 10 0E 10 1F 11 11 1F 41 2C 25 2C 41 ...........A,%,A
0000D0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0000E0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0000F0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
I would be curious if your trigger packet is the same as mine. It is too large to post up here, but our "fromAttacker" packets are exactly identical which is very interesting.
03-08-2006 06:15 PM
False positives have been reported due to certain graphics files.
The benign triggers for this signature will be updated for the next release.
03-09-2006 06:48 AM
Do you have suggestions on how to tune, or filter it, then?
03-09-2006 06:26 PM
I would filter for hosts which have been updated with the relative patches.
You can tune this signature by disabling it if hosts within your network have been addressed for the vulnerability (ie. patched).
You can also lower the Signature Fidelity Rating, if you are running in in-line mode and using that information to block bad packets.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide