https://live.paloaltonetworks.com/t5/general-topics/aws-servers-trigger-vulnerability/m-p/68901#M40085 <P>We are seeing a high number of HTTP Non RFC-Compliant Response Found</P> <P>Signature ID : 32880&nbsp; CVE-2010-2561</P> <P>&nbsp;</P> <P>All are logged from aws servers, evenly distributed across a large number of servers - 173 in one hour, each with 300-500 hits.&nbsp; I have packet captured the vulnerability and it is logging a seemingly innocuous XML file.</P> <P>&nbsp;</P> <P>I suspect this is not a problem, but is something amazon have set up on their servers which is causing false positives against this signature.</P> <P>&nbsp;</P> <P>the data returned is this:</P> <P>&lt;? xml version="1.0 "?&gt;</P> <P>&lt;cross-domain-policy&gt;</P> <P>&lt;allow-access-from domain="*" to-ports="*" /&gt;</P> <P>&lt;/cross-domain-policy&gt;</P> <P>&nbsp;</P> <P>It's not causing a problem, but it's showing as more than 25% of all my vulnerabilities so it's masking other issues.</P> <P><BR />Do PAN watch this?&nbsp; If not how do we feed back regarding signatures?</P> Wed, 02 Dec 2015 11:04:50 GMT djr 2015-12-02T11:04:50Z https://live.paloaltonetworks.com/t5/general-topics/aws-servers-trigger-vulnerability/m-p/68901#M40085 <P>We are seeing a high number of HTTP Non RFC-Compliant Response Found</P> <P>Signature ID : 32880&nbsp; CVE-2010-2561</P> <P>&nbsp;</P> <P>All are logged from aws servers, evenly distributed across a large number of servers - 173 in one hour, each with 300-500 hits.&nbsp; I have packet captured the vulnerability and it is logging a seemingly innocuous XML file.</P> <P>&nbsp;</P> <P>I suspect this is not a problem, but is something amazon have set up on their servers which is causing false positives against this signature.</P> <P>&nbsp;</P> <P>the data returned is this:</P> <P>&lt;? xml version="1.0 "?&gt;</P> <P>&lt;cross-domain-policy&gt;</P> <P>&lt;allow-access-from domain="*" to-ports="*" /&gt;</P> <P>&lt;/cross-domain-policy&gt;</P> <P>&nbsp;</P> <P>It's not causing a problem, but it's showing as more than 25% of all my vulnerabilities so it's masking other issues.</P> <P><BR />Do PAN watch this?&nbsp; If not how do we feed back regarding signatures?</P> Wed, 02 Dec 2015 11:04:50 GMT https://live.paloaltonetworks.com/t5/general-topics/aws-servers-trigger-vulnerability/m-p/68901#M40085 djr 2015-12-02T11:04:50Z https://live.paloaltonetworks.com/t5/general-topics/aws-servers-trigger-vulnerability/m-p/68921#M40091 <P>Best way I know is open a case requesting a false positive analysis.</P> <P>&nbsp;</P> <P>Regards,</P> Wed, 02 Dec 2015 14:29:58 GMT https://live.paloaltonetworks.com/t5/general-topics/aws-servers-trigger-vulnerability/m-p/68921#M40091 glastra1 2015-12-02T14:29:58Z https://live.paloaltonetworks.com/t5/general-topics/aws-servers-trigger-vulnerability/m-p/68925#M40092 <P>Thanks, that's what I expected and now having phrased my question correctly, my support partner is doing just that.</P> <P>&nbsp;</P> <P>Regards</P> Wed, 02 Dec 2015 15:06:52 GMT https://live.paloaltonetworks.com/t5/general-topics/aws-servers-trigger-vulnerability/m-p/68925#M40092 djr 2015-12-02T15:06:52Z