Strange IPS detections

wingman · #1 (**permalink**) 06-28-2009, 09:22 PM

Hi All

I've just noticed the IPS alerts below and I would like your help because I've never seen them before

Code:

Live Log: Intrusion Prevention System	
Filter:	
	Autoscroll
2009:06:28-21:08:56 stuffman snort[21223]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="218.213.238.230" dstip="86.164.253.43" proto="6" srcport="80" dstport="47537" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:09:25 stuffman snort[21225]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="Bad segment, adjusted size <= 0" group="0" srcip="86.164.253.43" dstip="85.25.149.192" proto="6" srcport="55472" dstport="80" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:14:47 stuffman snort[21225]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="Bad segment, adjusted size <= 0" group="0" srcip="86.164.253.43" dstip="216.163.188.45" proto="6" srcport="36469" dstport="80" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:16:49 stuffman snort[21223]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="68.142.87.104" dstip="86.164.253.43" proto="6" srcport="80" dstport="50359" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:16:49 stuffman snort[21223]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="68.142.87.104" dstip="86.164.253.43" proto="6" srcport="80" dstport="50359" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:17:45 stuffman snort[21223]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="Bad segment, adjusted size <= 0" group="0" srcip="86.164.253.43" dstip="208.78.69.70" proto="6" srcport="60634" dstport="80" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:17:47 stuffman snort[21225]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="Bad segment, adjusted size <= 0" group="0" srcip="86.164.253.43" dstip="85.25.149.192" proto="6" srcport="44972" dstport="80" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:19:01 stuffman snort[21225]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="218.213.238.230" dstip="86.164.253.43" proto="6" srcport="80" dstport="40774" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:19:01 stuffman snort[21225]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="218.213.238.230" dstip="86.164.253.43" proto="6" srcport="80" dstport="40774" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:19:58 stuffman snort[21223]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="Bad segment, adjusted size <= 0" group="0" srcip="86.164.253.43" dstip="85.25.149.192" proto="6" srcport="57966" dstport="80" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:24:56 stuffman snort[11648]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="Bad segment, adjusted size <= 0" group="0" srcip="86.164.253.43" dstip="207.58.136.89" proto="6" srcport="38881" dstport="80" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:54 stuffman snort[11662]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47119" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:54 stuffman snort[11662]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47119" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:56 stuffman snort[11648]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47121" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:56 stuffman snort[11648]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47121" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:56 stuffman snort[11648]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47122" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:56 stuffman snort[11648]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47122" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:56 stuffman snort[11662]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47126" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:56 stuffman snort[11662]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47127" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:56 stuffman snort[11662]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47128" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:56 stuffman snort[11662]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47126" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:56 stuffman snort[11662]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47127" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:56 stuffman snort[11662]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="85.25.149.192" dstip="86.164.253.43" proto="6" srcport="80" dstport="47128" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:59 stuffman snort[11648]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="86.164.253.43" dstip="85.25.149.192" proto="6" srcport="47116" dstport="80" sid="0" class="" priority="3" generator="129" msgid="1"
2009:06:28-21:26:59 stuffman snort[11648]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="TCP Timestamp is outside of PAWS window" group="0" srcip="86.164.253.43" dstip="85.25.149.192" proto="6" srcport="47116" dstport="80" sid="0" class="" priority="3" generator="129" msgid="1

The messages started to appear later today,after I've installed hmailserver on a box. The application is not configured yet.

SvenW · #2 (**permalink**) 06-29-2009, 11:45 AM

that comes due the IPS Stream5 preprocessor function "detect_anomalies",
we will change the behaviour of this in one of our next beta system up2dates.

SvenW
ASTARO AG

wingman · #3 (**permalink**) 06-29-2009, 07:20 PM

thanks SvenW