[7.450][BUG][FIXED] IPS blocked MS RDP over VPN Net-2-Net

It is not possible an unencrypted RDP connection via a VPN tunnel to build.
Linux RDP Client, RDP Server MS XP Pro SP3

id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MISC MS Terminal Server no encryption session initiation attempt" group="110" srcip="192.168.100.11" dstip="192.168.200.2" proto="6" srcport="55196" dstport="3389" sid="2418" class="Attempted Denial of Service" priority="2" generator="1" msgid="0"

MfG E. Riedel

Parents

0 dmzalarm over 16 years ago

This is default action by snort, unfortuntely there is no easy way of changing it via astaro's admin interface.

However, with the sid given (2418), I guess you can do a "Manual rule modification" to alert but not drop, or disable ips between these two vlan? Although I don't think it is such a good idea. personally I would use RDP client with encryption on.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 riedel over 16 years ago in reply to dmzalarm

Okay this may only apply for the V7.450.
With the same settings, it ran into V7.402
without problems. [:S]

MfG E. Riedel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BrucekConvergent over 16 years ago in reply to riedel

Just disable the errant rule in the advanced tab under the IPS settings; IPS systems require a bit of tuning sometimes; this is not the first time I've seen this rule triggered falsely by legitimate RDP traffic (and that rule dates back to Version 6). I would not consider this a "bug."
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 MarCow over 16 years ago in reply to BrucekConvergent

I see the same thing. I'm perfectly fine with this not being a bug, but it does at least appear to be a difference in behavior between the IPS engine in 7.450 and the original IPS engine in 7.402; with the same patterns on both, the newer engine blocks this traffic, and the older doesn't. I didn't have to disable this rule prior to switching to the beta, but after having done so I've disabled this rule and also rule 8428 (which has started blocking OWA access to Exchange 2007 since 7.450).
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 MarCow over 16 years ago in reply to BrucekConvergent

I see the same thing. I'm perfectly fine with this not being a bug, but it does at least appear to be a difference in behavior between the IPS engine in 7.450 and the original IPS engine in 7.402; with the same patterns on both, the newer engine blocks this traffic, and the older doesn't. I didn't have to disable this rule prior to switching to the beta, but after having done so I've disabled this rule and also rule 8428 (which has started blocking OWA access to Exchange 2007 since 7.450).
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 BrucekConvergent over 16 years ago in reply to MarCow

I've had the same rule triggered in older IPS engines (not just the beta), indeed, right before V7 came out, this was a common rule for me to see triggered on V6 systems. It's all about the combination of server and client versions causing this rule to be triggered; if it's legit traffic, just disable the rule.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ee-tra over 16 years ago in reply to BrucekConvergent

The default for the rule is changed to alert now. Thanks for reporting.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Astaro Beta Bot over 16 years ago in reply to ee-tra

Astaro Beta Report
--------------------------------
Version: 7.450
Type: BUG
State: FIXED
Reporter: riedel
Contributor: 
MantisID: 10623
--------------------------------