Anyone else been getting these alerts? We started getting them last week and get just over 100 / day on average from a multitude of external IPs. The Destination IP is usually our McAfee Web Gateway, although every now and then there will be the IP of an internal workstation; so far there have been less than 10 different workstations, each with one "hit". It looks like the vulnerability is old (2004) so I'm rather surprised at seeing it. I blocked it yesterday afternoon and, so far, no one has screamed.
Yes, since 2 sigset updates ago, this has quickly become a top event. i was expecting a sig update/mod for this attack in the last update, but it did not occur.
Hopefully there is more to it, but this attack corresponds to CVE 2004-0200, with Microsoft issuing a patch in Sept 2004 included in SP1 for Windows XP. So not really applicable today.
Thanks for the imput, dt1. I'm really starting to get annoyed at this one.
The only further information I've gathered on this since my first post is that since I "blocked" the attack, I have not seen any further instances where the Destination IP is anything other than our Web Gateway. However, this may be nothing more than coincidence.
Agreed with the old vulnerability not being relative if the system is patched for it; you can just filter it at this point once the workstation is confirmed as patched. If it's your destination web gateway, then it's most likely internet traffic that's triggering it. If you're web gateway isn't "tranparent", where the external IP shows in the web gateway logs, then it's most likely internet bound traffic. We see similar things with our gateway's/proxies; where the destination is the gateway/proxy, and not the external site which shows up in the pcaps.
You can also open a case with McAfee and they'll lead you through this process to submit false positives: KB 55743
You'll submit packet captures up to them and they'll use these to better tune the signature for future sig set releases.