[7.450][INFO] OWA to Exchange 2007 triggering IPS rule 8428

Hi,

I'm running the 7.450 software appliance beta on an ASG 110. Previously I was running 7.402 on another 110. Setup of the beta was easy, and importing my 7.402 backup worked perfectly. However, in v7.450 I'm finding that IPS rule 8428 ("WEB-MISC SSLv2 openssl get shared ciphers overflow attempt") is being triggered when attempting to use Outlook Web Access on my Exchange 2007 server. Disabling rule 8428 resolves the issue, but I'm wondering why this came up as I was running fine on 7.402 with this rule enabled, and accessing OWA in exactly the same way (IE 8 from the same PC as before).

I'm not sure if this is an issue with the new IPS engine, or simply due to a (very recent) patterns update, implying it would be an issue for non-beta users too. I suspect it's not a coincidence that this started happening immediately on my move to 7.450 though.

Anyone else run into this difference?

Parents

0 Pestilent over 16 years ago

Have you tried adding your exchange servers to the HTTP Servers section on the IPS Advanced tab? I was able to enable all IPS rules once I did so.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 MarCow over 16 years ago in reply to Pestilent

I just experimented with the HTTP Servers section of the IPS Advanced tab, and added my Exchange server. Having done that, I still see rule 8428 getting triggered. Disabling that rule appears to be the only solution. This still seems to be something that's been introduced with the new IPS engine though, given I had no issues running with that rule in place on 7.402 (on which I also did not have my Exchange server listed in the HTTP Servers section).

Interestingly, when hitting the same server via ActiveSync from my iPhone, traffic gets through without an issue. It seems to be specific to OWA access via Internet Explorer from what I can tell.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Monarch over 16 years ago in reply to MarCow

Hi,

I'm also using OWA with Exchange 2007 here, but until 7.402 I had no IPS alarms in connection to that. Will test it tomorrow when I can access it from work (could test it by using a mobile UMTS connection, but that costs money) [;)]

Regards,
Bastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Monarch over 16 years ago in reply to Monarch

Update: just tested it, IPS also blocks access to OWA here.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 MarCow over 16 years ago in reply to Monarch

OK thanks - so it looks like this is a change in behavior from 7.402 to 7.450. With the same patterns on both versions, OWA access triggers rule 8428 on 7.450, but not on 7.402. Is that correct from your side? That's certainly what I saw.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Pestilent over 16 years ago in reply to Monarch

What version of Exchange is running on everyone's OWA servers? The account I have been using to test is on a 2003 OWA box and I am able to access it with all IPS rules set to DROP.
I know there were a lot of changes made between OWA 2003 and 2007, so I wonder if these just weren't taken into account in the HTTP server IPC exceptions.

Is anyone else running 2003 OWA that can confirm it does or does not work for them?
I am curious if it's just a fluke that I have the rule enabled or what...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 MarCow over 16 years ago in reply to Pestilent

I'm using Exchange 2007 on Windows Server 2003. Unfortunately I don't have an Exchange 2003 box handy to compare the behavior between the two Exchange versions.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BrucekConvergent over 16 years ago in reply to MarCow

This still seems to be something that's been introduced with the new IPS engine though, given I had no issues running with that rule in place on 7.402 (on which I also did not have my Exchange server listed in the HTTP Servers section).

I can tell you that just about every customer that I have had that used OWA has had to have this rule disabled in the IPS configuratoin, dating back to the first stable release of Version 7 ... So it's not really a new engine issue, etc.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BAlfson over 16 years ago in reply to BrucekConvergent

Bruce, just to be clear, you do mean OWA on 2007, not 2003?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 MarCow over 16 years ago in reply to BAlfson

I didn't see this rule being triggered though on 7.402. It only started getting triggered after the switch to 7.450 - I imported my original configuration into that version, and nothing else on my network has changed (same Exchange 2007 server, same machine and browser version being used to access OWA externally, etc.). That's why I'm suspecting the new IPS engine - in my case it's about the only difference between how I'm running now and how I was running a few days ago.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BrucekConvergent over 16 years ago in reply to MarCow

Bob, this was with customers running OWA 2003. I have convinced most of them to not expose OWA to the outside world at all, so most of them VPN in now... It's still on our list of rules we automatically disable if a customer has OWA, so I haven't seen a false positive with OWA 2007, and that may be (or may not be) because we disable that rule by default if a customer chooses to run OWA on the public Internet.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 BrucekConvergent over 16 years ago in reply to MarCow

Bob, this was with customers running OWA 2003. I have convinced most of them to not expose OWA to the outside world at all, so most of them VPN in now... It's still on our list of rules we automatically disable if a customer has OWA, so I haven't seen a false positive with OWA 2007, and that may be (or may not be) because we disable that rule by default if a customer chooses to run OWA on the public Internet.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 BAlfson over 16 years ago in reply to BrucekConvergent

Interesting. I work on three sites with OWA to Exchange 2003, and I didn't find this rule disabled in any of them.

Here's a SANS paper I found that seems to indicate that putting the OWA server into 'HTTP Servers' should indeed resolve the issue: http://www.sans.org/reading_room/whitepapers/detection/tuning_an_ids/ips_from_the_ground_up_1896.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 MarCow over 16 years ago in reply to BAlfson

Yes - unfortunately I tried that too (listing my Exchange server in the HTTP Servers section) and it didn't help - I still had to disable rule 8428 in order for OWA to work from IE.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BAlfson over 16 years ago in reply to MarCow

Thanks. I agree that Astaro should check this as I suspect an error in the way it turns specific rules off automatically when traffic goes to servers listed on the advanced tab.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Astaro Beta Bot over 16 years ago in reply to BAlfson

Astaro Beta Report
--------------------------------
Version: 7.450
Type: INFO
State: NONE
Reporter: MarCow
Contributor: 
MantisID: 
--------------------------------