Anyone else experience the following?
After our sensor received the 22.214.171.124 signature file in the early morning hours of March 2nd, we started getting tons of email alerts for the following:
HTTP: IE CreateTextRange Code Execution Vulnerability
These "attacks" were from a few hundred different IPs mostly to our Web Gateway. (A few were from our Web Gateway to our Firewall.)
Today, I reverted our sensor to the 126.96.36.199 signature file and the alerts immediately stopped and I haven't received a single one since.
@rangerlj Here's how I rolled the signature back from 188.8.131.52 to 184.108.40.206.
Keep in mind that this is for Network Security Manager 220.127.116.11 so your version may be different.
1) Download the old signature file.
Manager in Resource Tree
Update Server tab
Choose version: 18.104.22.168 and click Download.
Wait for download to complete and Close small download window.
2) Push the old signature file to the sensor.
Navigate to one of the Configuration Update pages.
(I can't remember exactly which of these pages I used, but I think the one under Device List / Configuration Update should work fine. The other two Configuration Update pages I know of are located under Device List / *sensor name* / Phusical Sensor / Configuration Update and IPS Settings / *sensor name* / Configuration Update)
Confirm that the signature file is listed under Pending Changes and that the Update check box is checked
Click on Update.
3) I also disabled my nightly scheduled Signature Set Download task so the system wouldn't simply pull 22.214.171.124 back down. This task is located here:
Device List / Update Server / Scheduler / Signature Set Download Scheduler
Click No and Apply.
Hope this helps.
I see that McAfee has released signature set 126.96.36.199. Searching KB55446 leads me to the KB pages for the individual signature sets. Both signature sets in question (188.8.131.52 - the original one I've had issues with, and 184.108.40.206 - the latest signature set) state the following as pertains to the vulnerability in question:
HIGH - HTTP: IE CreateTextRange Code Execution Vulnerability (0x4022ad00):Exploit:
Signature change to improve detection accuracy and/or performance. This alert requires the HTTP response feature to be enabled.
I hope I'm correct in interpreting this fact to mean that they originally changed something with 220.127.116.11 which caused my problem, and that they've now fixed this with 18.104.22.168. Unfortunately, I'm too chicken to test it on a Friday and will wait to apply 22.214.171.124 until next Monday (3/19/12). If anyone tries updating to 126.96.36.199 in the meantime, please post your experiences here.
Fantastic news! Thanks for the info, daloy!
Based on daloy's response that this issue was a known false-positive, I have gone ahead and installed the 188.8.131.52 signature set (despite it being Friday ). I've been monitoring the alerts since then and have not seen any recurrence of this issue.
I think this issue is resolved. (If it isn't, I'll update this thread at that time.)
Thanks again for the confirmation, daloy!