Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
0
Helpful
2
Replies

3.1.3S43 update - so many false-positives...

DSmirnov
Level 1
Level 1

‎04-25-2003 07:47 AM - edited ‎03-09-2019 03:02 AM

Last update made me crazy - at least three new signatures were false-positive in our environment:

4003 - fired on normal DNS requests (if you have 3 DNS servers for a zone?)

5366 - fired almost on every HTTP request

3604 - fired on HTTP replies from port 80 to port 7161 on client...

I could guess the Cisco answer - migrate to 4.0 to fix the problem... :)

Labels:
0 Helpful
2 Replies 2

mjuckett
Level 1
Level 1

‎04-28-2003 04:59 AM

I'm glad to see others are having this problem. I've been creating filters like crazy since I patched. Best of luck to anyone else with this problem.

0 Helpful

mcerha
Level 3
Level 3

‎04-28-2003 03:22 PM

4003 is a known problem with DNS servers. We added a benign trigger in the NSDB as of the upcoming S44 signature update. Best solution is to filter out your DNS servers as sources and destinations.

5366 is looking for a non-printable chararcter (aka shell code) in a HTTP request's URI or arguments. We're not searching to whole request. According to our research, only printable characters (0x00-0x7F) "should" appear in the URI or arguments of a HTTP request. I say "should" because we've been proven wrong before. If you like, we'd be happy to anaylize any log files / traffic traces. You can email them directly to me at mcerha@cisco.com.

And for a nice segue, yes the 3604 problem can be solved by upgrading to 4.0 sensors. 3.1 sensors don't have a solid notion of who is the client and who is the server. 4.0 fixed this.

Thanks for your feedback.

0 Helpful
Customers Also Viewed These Support Documents