Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Closed Forums (read only) > ASG V7.500 BETA (closed)
Reload this Page [7.450][BUG][FIXED] Link in Snort notification leads to Error 404
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Page 1 of 2 1 2
 
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 06-09-2009, 05:45 PM
Monarch's Avatar
Wizard
  
Join Date: Apr 2008
Location: Rottweil, Germany
Posts: 581
Default [CONFIRMED, FIXED: #10610] [7.450] BUG:Link in Snort notification leads to Error 404
Just received a number of (until now unexplainable) IPS alarms, I clicked the link for more information:
Code:
Intrusion Protection Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: SHELLCODE x86 inc ecx NOOP
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=1394
Time...........: 2009:06:09-18:41:55
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Executable code was detected IP protocol....: 6 (TCP)
But http://www.snort.org/pub-bin/sigs.cgi?sid=1394 does not exist!

Regards,
Bastian
__________________

Running Astaro ASG virtual appliance / Home power user 100 IP license
Intel S3210SHLC / Intel Xeon X3320 / 8192 MB RAM / 3Ware 9650SE 8-Port / APC Smart-UPS 750XL
  #2 (permalink)  
Old 06-09-2009, 08:53 PM
Billybob's Avatar
Wizard
  
Join Date: Jul 2006
Location: United States
Posts: 616
Default
Man you beat me to this... I have noticed it before but was too lazy to point it out. Since snort.org is redesigned, all the old links don't work anymore which sucks since I had a lot of things saved in my favourites that are worthless now.
  #3 (permalink)  
Old 06-09-2009, 09:20 PM
Junior Member
  
Join Date: Jun 2008
Posts: 23
Default
Funny...I got the same IPS warning here and wasn't able to find any information to this under snort.org, Astaro IPS Rules or search engines.

Posted today a feature request for such issues
Link IPS, and Malware events in Reports to description

However, up to now I like the updated and tweaked IPS a lot
  #4 (permalink)  
Old 06-09-2009, 09:40 PM
Monarch's Avatar
Wizard
  
Join Date: Apr 2008
Location: Rottweil, Germany
Posts: 581
Default
Quote:
Originally Posted by Sascha Paris View Post
Funny...I got the same IPS warning here and wasn't able to find any information to this under snort.org, Astaro IPS Rules or search engines.
Well I get this warnings since today, but they are becoming more and more

Edit: Receiving lots of these warnings when I browse normal web pages. Will disable the rule for now, until I now what it stands for.
__________________

Running Astaro ASG virtual appliance / Home power user 100 IP license
Intel S3210SHLC / Intel Xeon X3320 / 8192 MB RAM / 3Ware 9650SE 8-Port / APC Smart-UPS 750XL
Last edited by Monarch; 06-09-2009 at 10:02 PM.
  #5 (permalink)  
Old 06-09-2009, 10:05 PM
gnujuba's Avatar
Senior Member
  
Join Date: Jan 2003
Posts: 186
Default
Quote:
Originally Posted by Sascha Paris View Post
Funny...I got the same IPS warning here and wasn't able to find any information to this under snort.org, Astaro IPS Rules or search engines.

Posted today a feature request for such issues
Link IPS, and Malware events in Reports to description

However, up to now I like the updated and tweaked IPS a lot

there is this other list: Astaro IPS Rules which ends with -2.8?!

as snort version in 7.450 is 2.8.4.1(*) maybe this is the one to look at - its older though.

anyway, can not find any of the attacks I saw in both lists

(*)
# /var/sec/chroot-snort/sbin/snort --version

,,_ -*> Snort! <*-
o" )~ Version 2.8.4.1 (Build 38) inline
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.7 2008-05-07
  #6 (permalink)  
Old 06-09-2009, 10:26 PM
Junior Member
  
Join Date: Jun 2008
Posts: 23
Default
Hip hip hoorray ! I found the trigger for these shellcode IPS log entries, but don't understand, why they happens.

It will every time trigger this "SHELLCODE x86 inc ecx NOOP", when i access a feature in feature.astaro.com via RSS feed in RSS Reader of Firefox.

Destination Port seems to be 8080, but I use transparent proxy, so I don't understand, why there's a access to Port 8080. :confused
  #7 (permalink)  
Old 06-09-2009, 10:58 PM
Monarch's Avatar
Wizard
  
Join Date: Apr 2008
Location: Rottweil, Germany
Posts: 581
Default
Astaro redirects port 80 to 8080 when using transparent mode.

I also receive the warnings linked with port 8080, but I couldn't find a pattern for when it occurs.
__________________

Running Astaro ASG virtual appliance / Home power user 100 IP license
Intel S3210SHLC / Intel Xeon X3320 / 8192 MB RAM / 3Ware 9650SE 8-Port / APC Smart-UPS 750XL
  #8 (permalink)  
Old 06-09-2009, 11:00 PM
Billybob's Avatar
Wizard
  
Join Date: Jul 2006
Location: United States
Posts: 616
Default
Quote:
Hip hip hoorray ! I found the trigger for these shellcode IPS log entries, but don't understand, why they happens.
You are correct, http://feature.astaro.com/pages/1735...to-description is indeed causing the IPS to generate SHELLCODE x86 inc ecx NOOP.
Last edited by Billybob; 06-09-2009 at 11:18 PM. Reason: Monarch beat me to the port 8080 http proxy redirect explanation
  #9 (permalink)  
Old 06-09-2009, 11:05 PM
Billybob's Avatar
Wizard
  
Join Date: Jul 2006
Location: United States
Posts: 616
Default
Quote:
Well I get this warnings since today, but they are becoming more and more
Funny you mentioned this because my IPS has been fairly quiet till this morning I got two different alerts while surfing.
Quote:
Message........: WEB-CLIENT wmf file arbitrary code execution attempt
Source IP address: 204.245.162.16 (a204-245-162-16.deploy.akamaitechnologies.com
while surfing cnn.com and then
Quote:
Message........: WEB-CLIENT Malformed PNG detected iCCP overflow attempt
while surfing another site that I visit normally without any alerts.
  #10 (permalink)  
Old 06-09-2009, 11:18 PM
Junior Member
  
Join Date: Jun 2008
Posts: 23
Default
Quote:
Originally Posted by Monarch View Post
Astaro redirects port 80 to 8080 when using transparent mode.
should have known that, how embarassing
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 03:44 PM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.