8 Replies Latest reply: Mar 21, 2014 10:04 AM by cedricr RSS

    NSM Attack Name Unknown (4204592)

    smalldog

      Hi All,

       

      Do you know what is it mean in attack name report? Please see attach file.

        • 1. Re: NSM Attack Name Unknown (4204592)
          cedricr

          Hello Smalldog,

           

          I have the "unknown 4204592" aswell. The attack you are looking for is:

           

          Name: "HTTP: Apple Safar HTML Image Element Handling Use After Free Vulnerability"

          Intruvert ID: 0x4028300

          CVE: CVE-2010-0054

           

          You can verify it yourself by using the "View Alerts & PCAPs" Button in the Threat Explorer.

           

          Best Regards

          Cedric

          HTTP: Apple Safari HTML Image Element Handling Use After Free  Vulnerability

          • 2. Re: NSM Attack Name Unknown (4204592)
            smalldog

            Hi Cedric,

             

            How do you know it HTTP: Apple Safar HTML Image Element Handling Use After Free Vulnerabilit? Thanks!

             

            Regards,

            Smalldog

            • 3. Re: NSM Attack Name Unknown (4204592)
              cedricr

              Hi smalldog,

               

              you can verify it yourself by using the "View Alerts & PCAPs" Button in the "Threat Explorer", if the device is shown in the top 5-25 in the "Threat Explorer".

               

              Best Regards

              Cedric

              • 4. Re: NSM Attack Name Unknown (4204592)
                smalldog

                Thanks Cedric,

                 

                I can not find Unknown (4204592) in historical threat analyzer. And i just can use "View Alerts & PCAPs" when top 25 on Threat Explorer? and find out events related. So could you capture screen that you find out event "Unknown" that is HTTP: Apple Safar HTML Image Element Handling Use After Free Vulnerabilit!

                 

                I see this in product guide 7.1 IPS Admin that tell

                "signature detectiontechniques systematically scan network traffic looking for signature patternsof known attacks, comparing these patterns against an extensive databaseof signatures. Anomaly detection determines a baseline of normal behavior of network traffic, and then attempts to detect attacks by noting significant departures from normal behavior". So the "unknown attack" mean IPS sensor has no signature detection for this , sensor detects it using anomaly detection. And if this "unknown attack" how do you know that's Apple Safar HTML Image Element Handling Use After Free Vulnerabilit? Confused

                • 5. Re: NSM Attack Name Unknown (4204592)
                  cedricr

                  Hello Smalldog,

                   

                  here is the attack in my "Threat Explorer" top 5:

                  NSM attack 4204592 - 1.jpg

                   

                  When clicking on the attack I get the details (still no information as this attack seems to be broken):

                  NSM attack 4204592 - 2.jpg

                   

                  "View Alerts & PCAPs" to investigate the attack will show the real attack name:

                   

                  NSM attack 4204592 - 3.jpg

                   

                  The attacks were found using the attack-4204592 filter.

                   

                  Best Regards,

                  Cedric

                  • 6. Re: NSM Attack Name Unknown (4204592)
                    smalldog

                    Hi Cedric, i also find out 4204592 that is Intruvert ID: 0x40283000 (HTTP: Apple Safar...). Hex ~ Decimal tool convert 4204592~0x402830. Now i update signatures set with newest that will show right alert! Thanks so much Cedric, appreciate!

                    • 7. Re: NSM Attack Name Unknown (4204592)
                      msitko

                      In cases I've seen where customers have attack IDs showing instead of the names, it's because the signature set version on the manager and sensor is different.  My understanding is that because the manager does not have the alert in it's signature set, it is unable to translate an ID to a name resulting in just showing the ID.

                      • 8. Re: NSM Attack Name Unknown (4204592)
                        cedricr

                        The signature set was already up-to-date for me, but still the Attack name was not shown correct. The issue was solved by rebooting the server.