IPS Rule id=1139797

Good morning,

This day many customers are reporting me navigation problems in their infrastructure, when I check the firewall I find that the IPS is generating blockages when they visit a Microsoft site.

Is this a false positive? Is it safe to add the signature to exceptions in the firewall?


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @D4rkSeven
    It's difficult to say if it's a false positive without seeing the actual traffic. If you'd like to have someone look at the traffic directly, I'd suggest opening a support case. The tech will likely need to look at a packet capture of the HTTP traffic in order to determine if this is an issue.

    The specific IPS definition is:

    Specifically, traffic with a negative content-length header value

    That page suggests it's a rather old exploit. If this just started happening, it's likely something changed on Microsoft's side that triggered it.

    -James Carson
    WatchGuard Customer Support

  • My guess is that it is a false positive.
    Note that one of the CVE/MITRE references (2017-unknown) is for an unknown ID - and is thus of no value.
    Also BUGTRAQ ID links are no longer working.

    The oldest of the CVEs for this ID is from 2005 and the newest is 2014.
    None of the links I see refer to Windows components.

  • Hi,
    I have the same problem. Only my 3 old T35 in version 1.5.12 have problems. IPS detection 1139797 and 1132012 on all types of sites.

  • You can add an exception for those IPS IDs.

    Configure IPS Exceptions

    I can't find any info on 1132012. Typo?

  • Sorry ,
    1132092 = FILE Invalid XML Version -2 - A buffer overflow vulnerability was found in multiple products, caused by improper bounds checking of the version and encoding attributes inside the XML declaration

    Strange ! All sites and only on T35 with 12.5.12.
    Ive got ~100 appliances without problem.

  • Setting up exceptions until a solution is found

  • Search error on my part...


    Multiple stack-based buffer overflows in RealNetworks RealPlayer before on Windows, and Mac RealPlayer before, allow remote attackers to execute arbitrary code via a long (1) version number or (2) encoding declaration in the XML declaration of an RMP file, a different issue than CVE-2013-6877.

    Looks like a false positive.

  • @Philazerty said:
    I have the same problem. Only my 3 old T35 in version 1.5.12 have problems. IPS detection 1139797 and 1132012 on all types of sites.

    Indeed, only T35 devices with Firmware 12.5.2 or earlier are experiencing this problem. The IPS detection of firmware 1139797 is the one that generates the most problems since it blocks all the devices in the network. The signature 1132092 I observed that it generates several blocks but as it is of public addresses, it does not generate greater affectation in the clients.

    Temporarily, add the signatures to exceptions.

  • Caused by a recent update to the IPS sigs on these firewalls???

    On my firewall, running V12.10, I see Last Update: Sep 19, 2023, 12:43:22 PM EDT, running version 18.282

    You can report false positives here:

    The Security Portal IPS section reports the latest IPS versions, but not the date that they were created/deployed.
    V4.x latest = 4.1424

  • james.carsonjames.carson Moderator, WatchGuard Representative

    If you're running into this issue, what we'd need to fix it would be a packet capture of said traffic. If you're running into this I'd suggest opening a support case so that one of our technicians can assist with that.

    -James Carson
    WatchGuard Customer Support

  • Bug title:
    IPS signatures 1139797 and 1132092 block HTTP port 80 traffic after upgrade to v12.5.12

    Temporarily add IPS signature exceptions to allow port 80 traffic through the Firebox.

    We will update this article after the issue is resolved.

Sign In to comment.