Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Squid Proxy NTLM Authenticate Overflow: dest ip 0.0.0.0

Hello,

in the IPS Event Viewer I see a lot of messages regarding 'Squid Proxy NTLM Authenticate Overflow'. For a lot of them, the destination ip's are as expected: they point to the addresses of our Proxy servers.

However, I also see a lot of packets with destination ip of 0.0.0.0. What does this mean?

4 REPLIES
Cisco Employee

Re: Squid Proxy NTLM Authenticate Overflow: dest ip 0.0.0.0

assuming that this is sig 3737-0.

the summary key is Axxx for that signature, and what you are seeing is most likely summary alerts, showing the "attacker" address.

if you look a bit more at the alert itself, you should see something stating that its a summary and that there were X alerts over the past interval.

Re: Squid Proxy NTLM Authenticate Overflow: dest ip 0.0.0.0

It seems the signature needs tuning from the Cisco side, we keep seeing it all the time (False Positives). Its detecting this signature for our ISA Server(s) here.

Regards

Farrukh

Cisco Employee

Re: Squid Proxy NTLM Authenticate Overflow: dest ip 0.0.0.0

That signature is for CVE-2004-0541 (4 year old vulnerability), applicable for Squid Web Proxy Cache versions Squid-2.5.STABLE5 and below and the initial 3.x version(s). Current versions of squid cache are 2.7stable4 and 3.0stable8.

If you aren't running squid-cache, you should disable this signature.

Re: Squid Proxy NTLM Authenticate Overflow: dest ip 0.0.0.0

I'll do that, Thanks :)

Regards

Farrukh

256
Views
5
Helpful
4
Replies
CreatePlease to create content