I'm getting IPS alerts when accessing Astaro's webmin between my LANs...
Intrusion Protection Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: WEB-MISC SSLv2 openssl get shared ciphers overflow attempt
Details........: Snort - the de facto standard for intrusion detection/prevention
Time...........: 2009:02:06-20:44:00
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Attempted Administrator Privilege Gain
IP protocol....: 6 (TCP)
Source IP address: 192.168.11.13
- http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.11.13
- Query the RIPE Database
- ARIN: WHOIS Database Search
- Query the APNIC Whois Database
Source port: 3674
Destination IP address: 192.168.211.1 (foo.dyndns.org)
- http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.211.1
- Query the RIPE Database
- ARIN: WHOIS Database Search
- Query the APNIC Whois Database
Destination port: 443 (https)
IPs have not been obfuscated.
11.13 is a windows PC on VLAN 13
211.1 is Astaro's IP on VLAN 11
Browser is Firefox, tried both on Windows and Linux.
I now see that I didn't have the WiFi (VLAN 11) network in the 'Local Networks' in the IPS settings.
Adding it stops the alerts.
Nonetheless, it seems odd that normal traffic to webmin would cause any alerts.
Thanks,
Barry
Guest User!
You are not Sophos Staff.
