The Win_MessengerPoup_Bo thresholds were set too conservatively. Yesterday, a DoS exploit was published that was published that sends a buffer of around 4000 bytes, whereas our threshold was 4500 bytes. The reason they could make it smaller is that the character 0x14 on the wire expands to \r\n in the actual buffer.
Therefore, we are recommending that Proventia and RealSecure Network Sensor customers tune this by going into the "Advanced Tuning Parameters" and set the following parameter: pam.win.messengerpopup.limit = 2200 We'll be shipping an XPU later today that simply sets the default parameter at the smaller value. We've been testing this setting in our managed service group and it appears to cause no unusual false postive.
<<winmail.dat>>
