Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 8 replies
  • Subscribers 0 subscribers
  • Views 2388 views
  • Users 0 members are here
Options
Suggested

Top blocked attacks

Dave Packham
is always blank?   i have it enabled and have run scans and attacks against it but it always shows blank?

what can I troubleshoot?

Dave P
Parents Reply Children
  • 0 in reply to fhamzic
    2008:05:16-10:07:58 (none) barnyard[5348]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="216.2.2.2" dstip="74.2.2.2" proto="6" srcport="38000" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
    2008:05:16-10:08:31 (none) barnyard[5348]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="216.2.22" dstip="74.2.2.2" proto="6" srcport="38165" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid=
  • 0 in reply to Dave Packham
    Hi Dave,

    I have logged a similar complaint in another thread. Under I think the last 3 betas there hasn't anything reported in the graphs for attacks or attempted attacks.


    Ian M
  • 0 in reply to RFCat_vk_01
    Hi,
    good you added some log lines, this makes debugging a lot easier. Snort ID (sid) == 0 and group == 0 indicate a preprocessor alert. Since pre-V7, preprocessor alerts are ignored by the reporting because preprocessors are very noisy and seldom contain useful information.

    Cheers,
     andreas
  • 0 in reply to andreas
    Hi,
    IPS log extract.

    2008:05:17-22:43:27 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="40992" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-22:48:02 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="38571" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-22:48:02 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="38578" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-23:08:00 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="210.84.42.26" dstip="69.12.23.234" proto="6" srcport="45902" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-23:09:08 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="203.206.138.146" proto="6" srcport="55242" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-23:16:11 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="207.46.19.254" proto="6" srcport="58937" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"

    I can't actually prove that these relate to the entries in the daily report because none of these have the IP address shown in the daily report. There are 2 entires earlier in the log that might be of interest as well, but they also don't have the IP address shown in the report.

    Ian M

    Put it in the wrong thread.
  • 0 in reply to RFCat_vk_01
    Hi,

    the Log you parsed contain just warning messages from Http Inspect preprocessor.

    E.g. OVERSIZE REQUEST-URI DIRECTORY just warn you because the size of URL + params are greater then the value in the config from http inspect preprocessor. 

    Like Andreas said its a general warn message mostly w/o any important background.

    And for that reason this warn messages will not displayed in " Top blocked attacks "

    Greetz Florijan
  • 0 in reply to fhamzic
    its a public Ethernet Network... i HAVE to be getting something...  im at a university and no firewall at main door

    Ill get some other logs

    Dave P
  • 0 in reply to RFCat_vk_01
    Same here, I never seem to get my IPS graphs and I'm running latest non-beta.
Unfiltered HTML