This is a signature that detects a "CA BrightStor ARCserve Backup Listservcntrl ActiveX Overflow".
As I understand it, this is a meta signature that fires when 6794/1 and 5477 both trigger. Alerts have showed up a couple times today, but the packet data in MARS associated with them do not appear to match correctly with the component signatures.
For example, 6794/1 looks like it tries to match a regex for this key: BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3
However, in the packet data, this does not occur anywhere. So I'm unsure if there is packet data that I cannot see (but I should be able to see!), or if it is firing incorrectly, or perhaps I just don't understand something!
We had to disable this signature and 6497/0 while we try and figure out what is going on. This signature was firing just trying to read this forum page! Any info would be appreciated.
I did notice that this showed up about the same time we started running XO soft on our network. The 'victim' IP's however are all client machines for the most part - user boxes not even on the same subnet as our server block.
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...