I am getting alerts like this per mail:
|
|
|
In Logviewer there is this information:
|
|
Time
|
Log comp
|
Log subtype
|
Username
|
Src IP
|
Dst IP
|
Signature ID
|
Signature name
|
Category
|
Platform
|
Victim
|
Firewall rule
|
Message ID
|
Live PCAP
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
IPS
|
2022-04-10 16:22:31
|
Signatures
|
Drop
|
|
a.b.c.d
|
10.0.1.101
|
15875
|
SQL generic sql insert injection attempt - POST parameter
|
server-webapp
|
BSD,Linux,Mac,Other,Solaris,Unix,Windows
|
Server
|
19
|
07002
|
Open PCAP
|
This is for a service which I published via webserver protection. I had also the WANTOLAN IPS rule active.
The firewall rule referenced is the correct webserver firewall rule.
In reverseproxy.log there is only these 2 lines to be found with each alert, so it seems this alert comes from IPS, not the webserver protection policies:
[Sun Apr 10 16:25:31.370488 2022] [proxy_http:error] [pid 7221:tid 140184376932096] (103)Software caused connection abort: [client a.b.c.d:50251] AH01102: error reading status line from remote server 10.0.1.101:80
[Sun Apr 10 16:25:31.370539 2022] [proxy:error] [pid 7221:tid 140184376932096] [client a.b.c.d:50251] AH00898: Error reading from remote server returned by /cgi-bin/ch_file_upload.cgi
Then I edited the firewall rule, and set the IPS policy to None. However IPS alerts are still coming in, still referencing the exact same firewall rule.
Then I went to Logviewer and clicked onto the Signature ID 15875, giving me the option to "Dusable this signature for this IPS policy".
However still the alerts come in...
This thread was automatically locked due to age.
