Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Junior Member
Join Date: Mar 2008
Location: Texas
Posts: 7
#1 (permalink)  
Old 09-09-2008, 04:49 PM
Default WEB-MISC PCT Client_Hello

Every hour I get these alerts which I believe are false positives. They seem to coincide with a user's mobile phone connecting via owa. Anybody else seeing this?
-------------------------
Intrusion Protection Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: WEB-MISC PCT Client_Hello overflow attempt
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=2515
Time...........: 2008:09:09-11:34:43
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Attempted Administrator Privilege Gain IP protocol....: 6 (TCP)
-------------------------
Not causing an issue with the user getting email just a dozen irritating notices every hour. Is there any way to stop alerts for this particular alert without disabling the entire group/category? In version 6 you could configure individual alerts within a category, it seems as though that functionality has been removed in version 7.30.

thanks,
Patrick
Reply With Quote
BrucekConvergent's Avatar
Master of Reality
Join Date: Oct 2005
Location: SC, USA
Posts: 4,876
#2 (permalink)  
Old 09-09-2008, 08:53 PM
Default

Yep, we see this a lot with SSL Web sites being hosted behind an Astaro... so far they've all been false positives.
__________________
Convergent Information Security Solutions, LLC
Sophos Platinum Solution Partner
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 21,178
#3 (permalink)  
Old 09-10-2008, 11:05 AM
Question Cheeky iPhones

We didn't start seeing this until I got an iPhone 3G and set up ActiveSync/OMA on our SBS 2003 Exchange server. It seems to coincide with periods where the 'push' to the iPhone doesn't function. Since I wasn't seeing this alert for any other reason, I changed the action for 2515 from block to alert.

My guess is that it's the iPhone trying to kick-start ActiveSync, but it makes no difference that the Astaro lets the message get through to the server. I am chronicling this experience both on the Apple site and here:
http://www.astaro.org/showthread.php...ghlight=iPhone

Are you certain that the individual is not having syncing issues with your Exchange server?
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Junior Member
Join Date: Mar 2008
Location: Texas
Posts: 7
#4 (permalink)  
Old 09-10-2008, 01:29 PM
Default

Quote:
Originally Posted by BAlfson View Post
We didn't start seeing this until I got an iPhone 3G and set up ActiveSync/OMA on our SBS 2003 Exchange server. It seems to coincide with periods where the 'push' to the iPhone doesn't function. Since I wasn't seeing this alert for any other reason, I changed the action for 2515 from block to alert.

My guess is that it's the iPhone trying to kick-start ActiveSync, but it makes no difference that the Astaro lets the message get through to the server. I am chronicling this experience both on the Apple site and here:
http://www.astaro.org/showthread.php...ghlight=iPhone

Are you certain that the individual is not having syncing issues with your Exchange server?
I have a few iPhone users as well but nobody has reported sync issues. What version of ASG are you using? In ASG 6 I could set actions for individual vulnerabilities within a group but in ASG 7 I can only set actions for the entire group. Am I missing something?
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 21,178
#5 (permalink)  
Old 09-10-2008, 05:52 PM
Default

Network Security >> Intrusion Protection
Advanced tab
Rule Modification

I had to ask also.
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Junior Member
Join Date: Mar 2008
Location: Texas
Posts: 7
#6 (permalink)  
Old 09-10-2008, 05:58 PM
Default

Quote:
Originally Posted by BAlfson View Post
Network Security >> Intrusion Protection
Advanced tab
Rule Modification

I had to ask also.
Perfect! Thanks!
Reply With Quote
BrucekConvergent's Avatar
Master of Reality
Join Date: Oct 2005
Location: SC, USA
Posts: 4,876
#7 (permalink)  
Old 09-10-2008, 06:33 PM
Default

I've also seen these alerts trigger when ActiveSync, etc. aren't being used, just simple SSL Web Site access can trigger them too.
__________________
Convergent Information Security Solutions, LLC
Sophos Platinum Solution Partner
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 05:42 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.