Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Signature 5774 False Positives?

Anything thoughts? Are false positives being reviewed for next signature release?

We are seeing alot of activity triggering this signature. The attacking ip is from Microsoft itself so must be a false positive?.... 207.68.179.220 (http://advertising.msn.com/home/home)

Signature version is S232

Attacker Context is :

w.rsac.org/ratingsv01.html" l comment "RSACi North America Server" by "inet@microsoft.com" r (n 0 s 0 v 0 l 0))

Date: Tue, 20 Jun 2006 16:02:42 GMT

PNG

IHDR i*gAMA|Q cHRMR@}y<s<w

5iCCPsRG

Thoughts?

10 REPLIES
New Member

Re: Signature 5774 False Positives?

I would like to look into this further.

Is it possible to get a traffic sample for this please? In the meantime would you be able to re-paste the entire alert information including the hex output.

Thanks,

Jonathan

New Member

Re: Signature 5774 False Positives?

evIdsAlert: eventId=1135765787750475982 vendor=Cisco severity=high

originator:

hostId: xxxx

appName: sensorApp

appInstanceId: 26432

time: June 22, 2006 10:17:48 PM UTC offset=-420 timeZone=MST

signature: description=Windows Media Player PNG Processing Remote Code Execution id=5774 version=S232

subsigId: 0

sigDetails: Windows Media Player PNG Processing Remote Code Execution

interfaceGroup:

vlan: 0

participants:

attacker:

addr: 207.68.179.220 locality=OUT

port: 80

target:

addr: xxxxxxxx locality=INTERNAL

port: 2177

context:

fromAttacker:

000000 77 2E 72 73 61 63 2E 6F 72 67 2F 72 61 74 69 6E w.rsac.org/ratin

000010 67 73 76 30 31 2E 68 74 6D 6C 22 20 6C 20 63 6F gsv01.html" l co

000020 6D 6D 65 6E 74 20 22 52 53 41 43 69 20 4E 6F 72 mment "RSACi Nor

000030 74 68 20 41 6D 65 72 69 63 61 20 53 65 72 76 65 th America Serve

000040 72 22 20 62 79 20 22 69 6E 65 74 40 6D 69 63 72 r" by "inet@micr

000050 6F 73 6F 66 74 2E 63 6F 6D 22 20 72 20 28 6E 20 osoft.com" r (n

000060 30 20 73 20 30 20 76 20 30 20 6C 20 30 29 29 0D 0 s 0 v 0 l 0)).

000070 0A 44 61 74 65 3A 20 54 68 75 2C 20 32 32 20 4A .Date: Thu, 22 J

000080 75 6E 20 32 30 30 36 20 32 32 3A 32 32 3A 32 36 un 2006 22:22:26

000090 20 47 4D 54 0D 0A 0D 0A 89 50 4E 47 0D 0A 1A 0A GMT.....PNG....

0000A0 00 00 00 0D 49 48 44 52 00 00 00 20 00 00 00 2D ....IHDR... ...-

0000B0 08 06 00 00 00 CF E4 69 2A 00 00 00 04 67 41 4D .......i*....gAM

0000C0 41 00 00 B1 8E 7C FB 51 93 00 00 00 20 63 48 52 A....|.Q.... cHR

0000D0 4D 00 00 87 0F 00 00 8C 0F 00 00 FD 52 00 00 81 M...........R...

0000E0 40 00 00 7D 79 00 00 E9 8B 00 00 3C E5 00 00 19 @..}y......<....

0000F0 CC 73 3C 85 77 00 00 0A 35 69 43 43 50 73 52 47 .s<.w...5iCCPsRG

riskRatingValue: 70

interface: fe1_0

protocol: tcp

New Member

Re: Signature 5774 False Positives?

we also were getting the WMF exploit signatures triggering from MSFT. We were gonna tune em out,

Bronze

Re: Signature 5774 False Positives?

I am also getting the trigger from Microsoft. I don't have anything additional to add. I just wanted to be able to receive a notification when this post receives replies.

Could someone let me know if there is a way to enable notifications for a post without submitting a message to it?

Thank you,

Mark

New Member

Re: Signature 5774 False Positives?

Click the Subscribe link.

New Member

Re: Signature 5774 False Positives?

I know, god forbid cisco or any other major vendor that provides an attempt at support forums uses an already established and used on a daily basis by millions worldwide "standard" of Vbulletin whcih costs all of a couple hundred dollars instead of reinventing the wheel and making users hunt for buttons they know *should* exist and request features that are incredulously "not added yet" all the while mucking their way through the slower and more cumbersome interface.

[/rant]

New Member

Re: Signature 5774 False Positives?

Apologies for the delayed response.

I had a look the show event information and although it looks like a png file, the format is incorrect as per defined by the w3.org open standard.

Records are nested with: iCCPsRG

In these situations where the defined format is not followed, it will cause a false positive.

Thanks,

Jonathan

New Member

Re: Signature 5774 False Positives?

I'm sure you can tighten up this signature. Having 99% false positives is not acceptable and the answer "not following w3.org standards" is .......... .

Maybe you should rename this signature to Suspicious PNG file and make a new signature that works in the reality.

Thanks. ;-)

New Member

Re: Signature 5774 False Positives?

Is anyone using a workaround for this noisy signature?

New Member

Re: Signature 5774 False Positives?

Just to let everyone know, we have been currently investigating the 5774-0 signature in ways we can improve it to reduce the number of false positives.

244
Views
0
Helpful
10
Replies
CreatePlease login to create content