Guest

Preview Tool

Cisco Bug: CSCsr49100 - Signature 1102 false positive with E2 engine

Last Modified

Mar 02, 2018

Products (9)

  • Cisco IPS 4200 Series Sensors
  • Cisco IPS 4255 Sensor
  • Cisco IPS 4260 Sensor
  • Cisco IPS Sensor Software Version 6.1
  • Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services Module
  • Cisco IPS 4270-20 Sensor
  • Cisco IPS 4240 Sensor
  • Cisco ASA Advanced Inspection and Prevention (AIP) Security Services Module
  • Cisco Integrated Services Routers Intrusion Prevention System Module

Known Affected Releases

6.1(1)E2

Description (partial)

Symptom:
Signature 1102 may false positive after the E2 engine update is installed on a sensor running 6.1(1).  Other symptoms may include random attacker/victim IP addresses in alerts, and some meta signatures may not fire due to random addresses in meta components.
 
Conditions:
Only affects sensors running 6.1(1)E2 that are seeing highly fragmented traffic.

Related Community Discussions

IPS Impossible IP Packet
I have an IDSM-2 version 6.1.1 E2 sig 353. The IPS is running in promiscuous mode. The IPS is alarming on impossible IP packets. To trace down the culprit, I decided to log the packet pair with the hopes that the layer 2 information would help guide the way. When I examined the packets with Wireshark, the IP address information showed different source and destination IP addresses. The packet appeared to be normal. Any ideas why the IPS reports data differently from Wireshark? I have several Cisco ...
Latest activity: Aug 28, 2008
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.