06-18-2009, 08:17 PM
|
 |
Wizard
|
|
Join Date: Jul 2006
Location: United States
Posts: 637
|
|
[7.460]Observation:IPS too sensitive.
I have had the new system running for about an hour and a half. I haven't done any websurfing, just tried to download the full ISO of astaro 7.46. The IPS is going crazy and interrupting the download somewhere in between. Finally had to use a download manager to complete the download.
This level of detection enabled by defaults will lead to a flood of complaints/tickets to astaro. I know that some people love to see that IPS is working... woohoo!! but some have better things to do in life 
Screenshot of IPS activity in just 1.5hrs after downloading and installing new beta
|
06-18-2009, 08:19 PM
|
 |
Wizard
|
|
Join Date: Apr 2008
Location: Rottweil, Germany
Posts: 582
|
|
I didn't manage to install the new up2date package yet (no idea why?)...
Hopefully, this is not the answer to this: http://www.astaro.org/astaro-gateway...ed-review.html
Regards,
Bastian
__________________
Running Astaro ASG virtual appliance / Home power user 100 IP license
Intel S3210SHLC / Intel Xeon X3320 / 8192 MB RAM / 3Ware 9650SE 8-Port / APC Smart-UPS 750XL
|
06-18-2009, 08:27 PM
|
|
Wizard
|
|
Join Date: Jul 2006
Location: United States
Posts: 637
|
|
Quote:
|
I didn't manage to install the new up2date package yet (no idea why?)...
|
Hurry up... who is going to catch all the bugs. You are the main bug catcher while the rest of us are just fishing 
Quote:
|
Hopefully, this is not the answer to
|
Wow, nice catch. I forgot about that thread. If that is the case, they should have an IPS setup wizard which asks you about your environment and then sets up IPS accordingly.
|
06-18-2009, 08:34 PM
|
|
Wizard
|
|
Join Date: Apr 2008
Location: Rottweil, Germany
Posts: 582
|
|
Ah, had two download it again, something went wrong in the first try
__________________
Running Astaro ASG virtual appliance / Home power user 100 IP license
Intel S3210SHLC / Intel Xeon X3320 / 8192 MB RAM / 3Ware 9650SE 8-Port / APC Smart-UPS 750XL
|
06-19-2009, 03:56 AM
|
|
Member
|
|
Join Date: Mar 2009
Posts: 42
|
|
I've seen another couple of examples since the 7.460 upgrade. Rule 13612 (EXPLOIT RealVNC server authentication bypass attempt) is being triggered when attempting to initiate a VNC session on a Macintosh via Jaadu VNC on my iPhone, coming in via the Cisco VPN client. This rule was not being triggered on 7.450.
Oddly, although the authentication step of the VNC session initiation takes a few minutes rather than being near instantaneous on 7.450 when this rule was not being triggered, it does still eventually get through and establish the authenticated session. I'm not sure if this means that, while this IPS rule is being triggered and having some kind of disruptive effect, it's not being 100% effective.
__________________
_____________________________________
ASG 110 / 7.5xx / 100-IP Home License
|
06-19-2009, 09:38 AM
|
 |
Wizard
|
|
Join Date: Aug 2005
Location: Victoria, Australia
Posts: 2,554
|
|
Hi,
I noted and comment on this problem under v7.450.
Ian M
__________________
Home Power User unlimited licence - v7.50x - AMD X2 5050e with 2gb,1 intel NIC, the onboard NIC and netgear gs108t with vlans. 
|
06-24-2009, 07:03 PM
|
|
|
|
Join Date: Jun 2009
Posts: 0
|
|
Code:
Astaro Beta Report
--------------------------------
Version: 7.460
Type: FEATURE
State: ANSWERED
Reporter: Billybob
Contributor:
MantisID:
--------------------------------
Last edited by andyk007; 07-03-2009 at 10:11 AM.
|
06-27-2009, 05:15 PM
|
|
Junior Member
|
|
Join Date: Jun 2009
Posts: 5
|
|
I also noticed when uploading pictures to flickr it triggers SHELLCODE x86 NO, rule 648.
|
06-27-2009, 10:08 PM
|
|
Moderator
|
|
Join Date: Jul 2001
Location: southern California
Posts: 5,156
|
|
I'm gettting a LOT of alerts... some are against MicroSoft IPs, so I'm pretty sure those are false positives unless they're relayed IM attacks...
SIDs:
1390
6699
5318
1201
6700
Thanks,
Barry
__________________
http://DealBert.net
Home & business end-user since v1.x - ASL 6.3x, HP DL145 Dual Opteron, 1GB RAM, 6 gigE NICs, 50-IP Platinum License
- ASL 7.3x, Dell PE1550 Dual PIII 1GHz, 1GB RAM, 2 NICs, 50-IP Platinum License
- ASL 7.5x, 17-watt fanless mini-ITX system: MSI IM-945GSE-A Atom n270, 2GB RAM, Morex T3310 case. 2 Intel GigE, 3 VLANs. 80G 5200rpm 2.5" HD
Netgear GS108T gigE VLAN switch & Linksys WRT54G WAP
Total network infrastructure: 27 watts. 100-IP Home User. FiOS 10mb/2mb
|
06-27-2009, 10:19 PM
|
|
Wizard
|
|
Join Date: Oct 2005
Posts: 2,430
|
|
The Shellcode IPS rules should definitely be disabled by default (should be their own category)... shellcode IPS Snort rules are notorious for false positives; I haven't had any yet, but I know this is something I've seen w/ Snort before.
__________________
Convergent Information Security Solutions, LLC
Astaro Preferred Solution Partner
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT. The time now is 12:45 AM.
| |  |
