Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


False Positives with 4001/4003 and 5366 in S43 Signature Update

This is just a status message to update everyone on the steps we are taking to eliminate the false positive alarms caused by signatures 4001/4003 and 5366 that were introduced in the S43 signature update.

4001 (UDP Port Sweep) / 4003 (Nmap UDP Port Sweep)

The source of the problem is that the 3.1 SWEEP.PORT.UDP engine can only support one PortsInclude parameter. This parameter is shared by all signatures in the engine. If multiple PortsInclude parameters are configured, the last entry is used. Prior to signature update S43, this was not a problem because there was only one signature (4001)in the SWEEP.PORT.UDP engine. In S43, we added signature 4003. This new signature had a PortsInclude parameter which came after 4001's, so it was taken as the engine default. 4003 looks for scans to any port (1-65535), so signature 4001 was also using this setting resulting in the large number of false postives. To remedy this, in the S44 signature update, we have disabled signature 4001. This signature is being deprecated in favor of 4003. In 3.1 sensors, we have disabled the signature. This cannot be changed by end users. In 4.0 sensors, we have turned the signature off by default. We have indicated this is the NSDB. Also, we have provided detailed instructions on how to tune signature 4003 to reduce false postives.

5366 (Shell Code in HTTP URL / Args)

Upon investigation, false positive alarms have been identified that reveal an architectural limitation in the 3.1 and 4.0 HTTP handling code. Due to the excessive false positive alarms being caused by this signature, it has been disabled in the S44 signature update for 3.1 platforms. This is not modifiable by the end user. The signature has been turned off by default for 4.0 sensors, and it is recommended that it remain so until the issues can be resolved. This has been documented in the NSDB.