04-25-2003 07:47 AM - edited 03-09-2019 03:02 AM
Last update made me crazy - at least three new signatures were false-positive in our environment:
4003 - fired on normal DNS requests (if you have 3 DNS servers for a zone?)
5366 - fired almost on every HTTP request
3604 - fired on HTTP replies from port 80 to port 7161 on client...
I could guess the Cisco answer - migrate to 4.0 to fix the problem... :)
04-28-2003 04:59 AM
I'm glad to see others are having this problem. I've been creating filters like crazy since I patched. Best of luck to anyone else with this problem.
04-28-2003 03:22 PM
4003 is a known problem with DNS servers. We added a benign trigger in the NSDB as of the upcoming S44 signature update. Best solution is to filter out your DNS servers as sources and destinations.
5366 is looking for a non-printable chararcter (aka shell code) in a HTTP request's URI or arguments. We're not searching to whole request. According to our research, only printable characters (0x00-0x7F) "should" appear in the URI or arguments of a HTTP request. I say "should" because we've been proven wrong before. If you like, we'd be happy to anaylize any log files / traffic traces. You can email them directly to me at mcerha@cisco.com.
And for a nice segue, yes the 3604 problem can be solved by upgrading to 4.0 sensors. 3.1 sensors don't have a solid notion of who is the client and who is the server. 4.0 fixed this.
Thanks for your feedback.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide