Unless you have integrated your NSM with EPO it will not be able to determine what OS the Source is running.
You should follow the process described in KB55743 to report this to the support team.
How to submit Network Security Platform false positives and incorrect detections to Technical Support
It may just be triggering on traffic that could be vulnerable to these attacks.
1 of 1 people found this helpful
This signature requires HTTP response to be enabled on the sensor in order to trigger. If you look at the attack description, there are 2 signatures:
http-rsp-chunk-read-body-length > 0x80000000 ( unsigned )
http-req-user-agent-header matches "WinHTTP" ( case-sensitive )
[AND] http-rsp-header matches "\x0a\x50\x6f\x43\x0d\x0a" ( case-sensitive )
[AND] http-rsp-header matches "\x66\x66\x63\x30\x30\x30" ( case-sensitive )
If you look at the triggered alerts, it should tell you which is the signature triggering - and I am guessing is sig#1 as it is just looking at the response body length.
If that is the case then you should be able to tune out the signature for the specific linux web servers, either using policies or ignore rules.