02-15-2012 06:34 AM - edited 03-10-2019 05:36 AM
Hi, today I've been noticing that a new signature 41846/1 started matching on differents IPs belonging to
Adobe Systems Inc. or ThePlanet.com Internet Services, Inc.
Here I post some event detected by the IPS:
Severity | Date | Time | Sig. Name | Sig. ID | Attacker IP | Victim IP | Vicitm Port | Threat Rating | Risk Rating |
---|---|---|---|---|---|---|---|---|---|
High | 02/15/2012 | 08:56:26 | Generic Cross Site Scripting Attack | 41846/1 | 1.2.3.4 | 66.235.132.152 | 80 | 60 | 95 |
High | 02/15/2012 | 08:56:27 | Generic Cross Site Scripting Attack | 41846/1 | 1.2.3.4 | 66.235.134.160 | 80 | 60 | 95 |
High | 02/15/2012 | 08:56:27 | Generic Cross Site Scripting Attack | 41846/1 | 1.2.3.4 | 66.235.139.121 | 80 | 60 | 95 |
High | 02/15/2012 | 09:00:38 | Generic Cross Site Scripting Attack | 41846/1 | 1.2.3.4 | 66.235.132.152 | 80 | 60 | 95 |
High | 02/15/2012 | 09:00:38 | Generic Cross Site Scripting Attack | 41846/1 | 1.2.3.4 | 66.235.134.160 | 80 | 60 | 95 |
The attacker IP "1.2.3.4. would be the proxy's IP.
Analyzing the proxy's log, I've seen that a lot of different computers from my network are trying to reach Adobe's sites to download a new version or update, i.e.:
GET http://swupmf.adobe.com/manifest/50/win/AdobeUpdater.upd HTTP/1.1
GET http://armmf.adobe.com/arm-manifests/win/Reader9Manifest.msi HTTP/1.1
GET http://armdl.adobe.com/pub/adobe/reader/win/9.x/9.5.0/es_ES/AdbeRdr950_es_ES.exe HTTP/1.1
So my first question is why the attempt to reach Adobe's site is matching an IPS signature related to a Cross Site Scripting attempt.
As I've reasearched, signature 41846/1 has been released in order to attend CVE-2012-0017: "Cross-site scripting (XSS) vulnerability in inplview.aspx in Microsoft SharePoint Foundation 2010 Gold and SP1 allows remote attackers to inject arbitrary web script or HTML via JavaScript sequences in a URL, aka "XSS in inplview.aspx Vulnerability."
Then, my second question would be how is Adobe's site related to CVE-2012-0017
Thanks.
Regards, Dana
Solved! Go to Solution.
02-15-2012 06:50 AM
Hi Dana,
You and I must have been posting at the same time. We noticed an issue with this signature on one of our sensor's this morning after S625 was applied. The "attacker" addresses are all internal and the "target" addresses are all over the board, some internal and some external. I had to disable this because it was triggering so often, 128 times in the last hour alone. Hopefully the Cisco folks can take a look at this and release an update soon.
02-15-2012 06:50 AM
Hi Dana,
You and I must have been posting at the same time. We noticed an issue with this signature on one of our sensor's this morning after S625 was applied. The "attacker" addresses are all internal and the "target" addresses are all over the board, some internal and some external. I had to disable this because it was triggering so often, 128 times in the last hour alone. Hopefully the Cisco folks can take a look at this and release an update soon.
02-15-2012 07:00 AM
You're right, we have the same (or similar) issue.
I haven't disabled it yet, because the signature is just dropping the packets (because of the configuration we have).
Anyway, I do want to know if this is a false positive or not..
In case it keeps matching a lot of events, I will probably disable it.
02-15-2012 07:01 AM
I am seeing it to, across many sites though not just Adobe. I had to disable it because it was firing too much. I am treating it as a false positive by a bad signiture.
02-15-2012 07:08 AM
Thanks, Jason, for you post.
In my case, there are some pick hours in which this signatures fires, so I think I'll monitor it a couple hours more, and if it keeps on firing I'll just have to disable it.
02-15-2012 08:48 AM
Seeing it too:
sig_id=41846
Sig_name=Generic Cross Site Scripting Attack
Sig_version=s625
Most of the "victim" IPs are to Adobe Systems.
02-15-2012 09:37 AM
We are looking into this issue. The signature will be updated asap.
02-15-2012 03:14 PM
Same thing happened to us, but it was reporting the victim as an IP address belonging to Webtrendslive.com
Interestingly this coincided with us going from promiscuous mode to inline mode. When we did switch to inline mode it started blocking these packets (and I also had block attacker enabled), and this completely blocked Internet access for these users. About 13 out of 180. Unchecking the "Deny packet inline" and "Deny Attacker Inline" did not give these users Internet access. We eventually had to Shut down the sensor so they could get back on the Internet. What a hassle.
Is there a way to have changes applied in Event Action Overrides to happen right away? Is this normal?
02-16-2012 02:48 PM
As you may have noticed, the signature was updated in S626 released last night. Hopefully, that resolves the issues you were facing. If you need any further assistance, please let us know or open a TAC case.
02-17-2012 03:49 AM
Yes. I've noticed it.
Problem is now solved, with the signature retired.
thanks
02-17-2012 05:22 AM
Received signature 626, and it has resolved the Generic Cross Site Scripting Attack alerts here.
On a similiar note, Adobe released the following on 15 Feb 2012:
http://www.adobe.com/support/security/bulletins/apsb12-03.html
Thanks
Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide