Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
1
Replies

Signature ID = 6043

mhanson2004
Level 1
Level 1

‎04-15-2015 09:33 AM - edited ‎03-10-2019 06:21 AM

Signature update S862 that included Signature ID 6043 Microsoft.HTTP.Sys Remote Code Execution was just released. We are seeing a large amount of alerts on this signature with the alerts coming from machines on our network with the traffic  heading off of network. No destination or victim addresses are noted just 0.0.0.0

Anyone else seeing similar activity?

Thank you.

Mike

Labels:
0 Helpful
1 Reply 1

JonPBerbee
Level 1
Level 1

‎04-15-2015 08:20 PM

I've noticed this event trigger 8 times on one of my customers IPS devices in the past 24 hours. With the exception of the Summary alert, though, all other alerts had source/destination IPs and was traffic coming in from the Internet.

 

From what you describe above it sounds to me like you're just seeing Summary alerts. I'm not sure why you wouldn't see the alerts that have source/destination unless there is a filter that disables the alerting for certain RR's.

 

Jon.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card