[7.450][BUG][FIXED] Under attack from Astaro

Hi folks,
has anyone else seen this today. I hadn't recorded any IPS "attacks" for a while. The first 2 addresses are registered against RIPE in Holland.
Looks like the forum is generating malformed gifs or at least the current patterns think so.

Ian

PS: Top blocked attacks [RIGHT]details[/RIGHT]
Total attacks blocked: 44 Rule ID Rule Description Rule group Packets % of total 1 8414 WEB-CLIENT GIF image width descriptor buffer overflow attempt Client / Browser 43 97.73 2 10126 WEB-CLIENT QuickTime JPEG Huffman Table integer underflow attempt Client / Browser 1 2.27 IPS: Top attackers [RIGHT]details[/RIGHT]
Total attacks blocked: 44 Source IP Packets % of total 1

194.79.52.199 36 81.82 2

85.115.22.9 5 11.36 3

72.32.147.129 1 2.27 4

202.58.48.79 1 2.27

I had to delete the last site.

Parents

0 gnujuba over 15 years ago

Hi folks,
has anyone else seen this today. I hadn't recorded any IPS "attacks" for a while. The first 2 addresses are registered against RIPE in Holland.
Looks like the forum is generating malformed gifs or at least the current patterns think so.

Ian

...

I am getting a lot of IPS alarms too lately while surfing major news sites in germany (i.e. SPIEGEL ONLINE - Nachrichten) as well as surfing this ubb:

WEB-CLIENT GIF image width descriptor buffer overflow attempt
WEB-CLIENT QuickTime JPEG Huffman Table integer underflow attempt

logged in my email account today and had around 500 IPS alarm mails! [:O]

false positives I guess!?

regards,

gnjb
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 dmzalarm over 15 years ago in reply to gnujuba

Last week, I received hundreds of "SHELLCODE X NOOP" which I had to disable alerts for this sid.

This couple of days, I am getting lots of "SHELLCODE x86 setuid 0" and "ORACLE database username buffer overflow" on all kinds of high ports which doesn't make sense at all.

snorts used in this beta seems real paranoid.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 dmzalarm over 15 years ago in reply to gnujuba

Last week, I received hundreds of "SHELLCODE X NOOP" which I had to disable alerts for this sid.

This couple of days, I am getting lots of "SHELLCODE x86 setuid 0" and "ORACLE database username buffer overflow" on all kinds of high ports which doesn't make sense at all.

snorts used in this beta seems real paranoid.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Astaro Beta Bot over 15 years ago in reply to dmzalarm

Astaro Beta Report
--------------------------------
Version: 7.450
Type: BUG
State: FIXED
Reporter: RFCat_vk
Contributor: 
MantisID: 10623
--------------------------------