Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Closed Forums (read only) > ASG V7.200 BETA (closed)
Reload this Page Top blocked attacks
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

 
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 05-13-2008, 08:50 PM
Member
  
Join Date: Aug 2001
Posts: 36
Default Top blocked attacks
is always blank? i have it enabled and have run scans and attacks against it but it always shows blank?

what can I troubleshoot?

Dave P
  #2 (permalink)  
Old 05-15-2008, 09:19 AM
Junior Member
  
Join Date: Nov 2007
Posts: 8
Default
Hi,

i canīt reproduce it. Are you sure that your attacks were not fetched by the packetfilter?
If you are unsure attack your victim again and look in the ips.log whether the asg will log something or not.

Greetz

Florijan
  #3 (permalink)  
Old 05-16-2008, 06:32 PM
Member
  
Join Date: Aug 2001
Posts: 36
Default yeah im getting stuff but still nothing showing on graphs
2008:05:16-10:07:58 (none) barnyard[5348]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="216.2.2.2" dstip="74.2.2.2" proto="6" srcport="38000" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
2008:05:16-10:08:31 (none) barnyard[5348]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="216.2.22" dstip="74.2.2.2" proto="6" srcport="38165" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid=
  #4 (permalink)  
Old 05-17-2008, 02:27 AM
RFCat_vk's Avatar
Wizard
  
Join Date: Aug 2005
Location: Victoria, Australia
Posts: 2,547
Default
Hi Dave,

I have logged a similar complaint in another thread. Under I think the last 3 betas there hasn't anything reported in the graphs for attacks or attempted attacks.


Ian M
__________________
Home Power User unlimited licence - v7.50x - AMD X2 5050e with 2gb,1 intel NIC, the onboard NIC and netgear gs108t with vlans.
  #5 (permalink)  
Old 05-19-2008, 10:43 AM
Moderator
  
Join Date: May 2001
Location: Karlsruhe, Germany
Posts: 925
Default
Hi,
good you added some log lines, this makes debugging a lot easier. Snort ID (sid) == 0 and group == 0 indicate a preprocessor alert. Since pre-V7, preprocessor alerts are ignored by the reporting because preprocessors are very noisy and seldom contain useful information.

Cheers,
andreas
  #6 (permalink)  
Old 05-19-2008, 01:26 PM
RFCat_vk's Avatar
Wizard
  
Join Date: Aug 2005
Location: Victoria, Australia
Posts: 2,547
Default
Hi,
IPS log extract.

2008:05:17-22:43:27 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="40992" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
2008:05:17-22:48:02 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="38571" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
2008:05:17-22:48:02 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="38578" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
2008:05:17-23:08:00 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="210.84.42.26" dstip="69.12.23.234" proto="6" srcport="45902" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
2008:05:17-23:09:08 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="203.206.138.146" proto="6" srcport="55242" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
2008:05:17-23:16:11 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="207.46.19.254" proto="6" srcport="58937" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"

I can't actually prove that these relate to the entries in the daily report because none of these have the IP address shown in the daily report. There are 2 entires earlier in the log that might be of interest as well, but they also don't have the IP address shown in the report.

Ian M

Put it in the wrong thread.
__________________
Home Power User unlimited licence - v7.50x - AMD X2 5050e with 2gb,1 intel NIC, the onboard NIC and netgear gs108t with vlans.
Last edited by RFCat_vk; 05-22-2008 at 09:43 AM. Reason: added reason
  #7 (permalink)  
Old 05-19-2008, 01:56 PM
Junior Member
  
Join Date: Nov 2007
Posts: 8
Default
Hi,

the Log you parsed contain just warning messages from Http Inspect preprocessor.

E.g. OVERSIZE REQUEST-URI DIRECTORY just warn you because the size of URL + params are greater then the value in the config from http inspect preprocessor.

Like Andreas said its a general warn message mostly w/o any important background.

And for that reason this warn messages will not displayed in " Top blocked attacks "

Greetz Florijan
  #8 (permalink)  
Old 05-20-2008, 02:54 PM
Member
  
Join Date: Aug 2001
Posts: 36
Default
its a public Ethernet Network... i HAVE to be getting something... im at a university and no firewall at main door

Ill get some other logs

Dave P
  #9 (permalink)  
Old 05-22-2008, 02:07 AM
Simon Shaw's Avatar
Aussie moderator.
  
Join Date: Jun 2001
Location: Perth, Western Australia
Posts: 2,628
Default
Same here, I never seem to get my IPS graphs and I'm running latest non-beta.
__________________
Simon Shaw
Systems Manager
Micromine PL

Intel 2.66GHz Quad Core, 4GB (2 x 2GB) PC-6400 800Mhz 4-4-4-12, WD 300GB 10K RPM VelociRaptor, Intel Pro/1000 Quad Port PCI-X
http://www.sputcorp.com/
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 06:45 PM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.