Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

3.1.3S43 update - so many false-positives...

Last update made me crazy - at least three new signatures were false-positive in our environment:

4003 - fired on normal DNS requests (if you have 3 DNS servers for a zone?)

5366 - fired almost on every HTTP request

3604 - fired on HTTP replies from port 80 to port 7161 on client...

I could guess the Cisco answer - migrate to 4.0 to fix the problem... :)

2 REPLIES
New Member

Re: 3.1.3S43 update - so many false-positives...

I'm glad to see others are having this problem. I've been creating filters like crazy since I patched. Best of luck to anyone else with this problem.

Bronze

Re: 3.1.3S43 update - so many false-positives...

4003 is a known problem with DNS servers. We added a benign trigger in the NSDB as of the upcoming S44 signature update. Best solution is to filter out your DNS servers as sources and destinations.

5366 is looking for a non-printable chararcter (aka shell code) in a HTTP request's URI or arguments. We're not searching to whole request. According to our research, only printable characters (0x00-0x7F) "should" appear in the URI or arguments of a HTTP request. I say "should" because we've been proven wrong before. If you like, we'd be happy to anaylize any log files / traffic traces. You can email them directly to me at mcerha@cisco.com.

And for a nice segue, yes the 3604 problem can be solved by upgrading to 4.0 sensors. 3.1 sensors don't have a solid notion of who is the client and who is the server. 4.0 fixed this.

Thanks for your feedback.

87
Views
0
Helpful
2
Replies