Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Closed Forums (read only) > ASG V7.500 BETA (closed)
Reload this Page [7.460][BUG][FIXED] IPS alerts (Possibly False Positives?)
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

 
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 06-19-2009, 01:30 AM
Junior Member
  
Join Date: May 2009
Posts: 28
Default [7.460] BUG: IPS alerts (Possibly False Positives?)
I have been browsing today and while visiting DNSstuff.com as well as snort.org I have received a bunch of alerts of blocked attacks by these sites by IPS.

From DNSstuff they include
WEB-CLIENT Malformed PNG detected iTXt overflow attempt
WEB-CLIENT Malformed PNG detected tEXt overflow attempt (example below)
WEB-CLIENT Malformed PNG detected iCCP overflow attempt

Quote:
Intrusion Protection Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: WEB-CLIENT Malformed PNG detected tEXt overflow attempt
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=6700
Time...........: 2009:06:19-01:09:30
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Attempted User Privilege Gain IP protocol....: 6 (TCP)

Source IP address: 74.53.59.133 (85.3b.354a.static.theplanet.com)
Source port: 80 (http)
Destination IP address: 192.168.1.253 (My General PC I browsed from)
Destination port: 3846
An error from SNORT included

Quote:
Intrusion Protection Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: WEB-CLIENT Malformed PNG detected iCCP overflow attempt
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=6690
Time...........: 2009:06:19-01:09:11
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Attempted User Privilege Gain IP protocol....: 6 (TCP)

Source IP address: 68.177.102.20 (Snort :: Home Page)
Source port: 80 (http)
Destination IP address: 192.168.1.253 (My General PC I browsed from)
Destination port: 3823
As well neither SNORT links to details work, they come up with 404, but I believe this was addressed here.
http://www.astaro.org/astaro-beta-ve...ror-404-a.html

Another rather startling one, was from astaro ftp servers

Quote:
Intrusion Protection Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: SHELLCODE x86 NOOP
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=648
Time...........: 2009:06:18-23:53:02
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Executable code was detected IP protocol....: 6 (TCP)

Source IP address: 128.242.114.245
- Where are my results?
- Query the RIPE Database
- ARIN: WHOIS Database Search
- APNIC - Query the APNIC Whois Database
Source port: 58046
Destination IP address: 192.168.1.253
- Where are my results?
- Query the RIPE Database
- ARIN: WHOIS Database Search
- APNIC - Query the APNIC Whois Database
Destination port: 1272 (cspmlockmgr)
Even ones from google

Quote:
Intrusion Protection Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: WEB-CLIENT wmf file arbitrary code execution attempt
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=5318
Time...........: 2009:06:18-19:48:37
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Web Application Attack
IP protocol....: 6 (TCP)

Source IP address: 209.85.227.136 (wy-in-f136.google.com)
- Where are my results?
- Query the RIPE Database
- ARIN: WHOIS Database Search
- APNIC - Query the APNIC Whois Database
Source port: 80 (http)
Destination IP address: 192.168.1.253
- Where are my results?
- Query the RIPE Database
- ARIN: WHOIS Database Search
- APNIC - Query the APNIC Whois Database
Destination port: 1848 (fjdocdist)
Could this a result of a more sensitive IPS system which is incomplete? While posting this I have just received a ton more from different websites.

I use to get 1 mabe 2 logged IPS attacks every other day, now I have got "IPS: 88 attacks blocked" in the past hour and a half of the new day (1:30am here)
Last edited by Tucker; 06-19-2009 at 01:34 AM.
  #2 (permalink)  
Old 06-19-2009, 01:35 AM
Billybob's Avatar
Wizard
  
Join Date: Jul 2006
Location: United States
Posts: 562
Default
Look here...
  #3 (permalink)  
Old 06-24-2009, 07:03 PM
 
Join Date: Jun 2009
Posts: 0
Default
Code:
Astaro Beta Report
--------------------------------
Version: 7.460
Type: BUG
State: FIXED
Reporter: Tucker
Contributor: 
MantisID: 10623
--------------------------------
Last edited by fhudl; 09-28-2009 at 03:47 PM.
  #4 (permalink)  
Old 06-29-2009, 11:25 AM
Junior Member
  
Join Date: May 2008
Posts: 11
Default
We changed a lot of snort-things in our beta version,
the snort engine and the preprocessor are new and we support new rules + so_rules,
the beta version has over 2500 rules more than the actual stable version enabled by default, so some FP are possible.
We study the UBB and are searching for these FP, check and fix them.
Beginning of July there will be a new corrected ips pattern up2date.
(ips pattern rpm version 7.135)
Thanks for your help!

SvenW
ASTARO AG
  #5 (permalink)  
Old 09-28-2009, 03:47 PM
Moderator
  
Join Date: Sep 2009
Posts: 62
Default
Fixed in Version 7.500
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 03:21 PM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.