False Positives with 4001/4003 and 5366 in S43 Signature Update
This is just a status message to update everyone on the steps we are taking to eliminate the false positive alarms caused by signatures 4001/4003 and 5366 that were introduced in the S43 signature update.
4001 (UDP Port Sweep) / 4003 (Nmap UDP Port Sweep)
The source of the problem is that the 3.1 SWEEP.PORT.UDP engine can only support one PortsInclude parameter. This parameter is shared by all signatures in the engine. If multiple PortsInclude parameters are configured, the last entry is used. Prior to signature update S43, this was not a problem because there was only one signature (4001)in the SWEEP.PORT.UDP engine. In S43, we added signature 4003. This new signature had a PortsInclude parameter which came after 4001's, so it was taken as the engine default. 4003 looks for scans to any port (1-65535), so signature 4001 was also using this setting resulting in the large number of false postives. To remedy this, in the S44 signature update, we have disabled signature 4001. This signature is being deprecated in favor of 4003. In 3.1 sensors, we have disabled the signature. This cannot be changed by end users. In 4.0 sensors, we have turned the signature off by default. We have indicated this is the NSDB. Also, we have provided detailed instructions on how to tune signature 4003 to reduce false postives.
5366 (Shell Code in HTTP URL / Args)
Upon investigation, false positive alarms have been identified that reveal an architectural limitation in the 3.1 and 4.0 HTTP handling code. Due to the excessive false positive alarms being caused by this signature, it has been disabled in the S44 signature update for 3.1 platforms. This is not modifiable by the end user. The signature has been turned off by default for 4.0 sensors, and it is recommended that it remain so until the issues can be resolved. This has been documented in the NSDB.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...