[7.460][FEATURE][ANSWERED] Observation:IPS too sensitive.

I have had the new system running for about an hour and a half. I haven't done any websurfing, just tried to download the full ISO of astaro 7.46. The IPS is going crazy and interrupting the download somewhere in between. Finally had to use a download manager to complete the download.
This level of detection enabled by defaults will lead to a flood of complaints/tickets to astaro. I know that some people love to see that IPS is working... woohoo!! but some have better things to do in life[:P]
Screenshot of IPS activity in just 1.5hrs after downloading and installing new beta

Parents

0 Billybob over 16 years ago

I didn't manage to install the new up2date package yet (no idea why?)...

Hurry up... who is going to catch all the bugs. You are the main bug catcher while the rest of us are just fishing[;)]
Hopefully, this is not the answer to

Wow, nice catch. I forgot about that thread. If that is the case, they should have an IPS setup wizard which asks you about your environment and then sets up IPS accordingly.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Monarch over 16 years ago in reply to Billybob

Ah, had two download it again, something went wrong in the first try [;)]
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 MarCow over 16 years ago in reply to Monarch

I've seen another couple of examples since the 7.460 upgrade. Rule 13612 (EXPLOIT RealVNC server authentication bypass attempt) is being triggered when attempting to initiate a VNC session on a Macintosh via Jaadu VNC on my iPhone, coming in via the Cisco VPN client. This rule was not being triggered on 7.450.

Oddly, although the authentication step of the VNC session initiation takes a few minutes rather than being near instantaneous on 7.450 when this rule was not being triggered, it does still eventually get through and establish the authenticated session. I'm not sure if this means that, while this IPS rule is being triggered and having some kind of disruptive effect, it's not being 100% effective.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 MarCow over 16 years ago in reply to Monarch

I've seen another couple of examples since the 7.460 upgrade. Rule 13612 (EXPLOIT RealVNC server authentication bypass attempt) is being triggered when attempting to initiate a VNC session on a Macintosh via Jaadu VNC on my iPhone, coming in via the Cisco VPN client. This rule was not being triggered on 7.450.

Oddly, although the authentication step of the VNC session initiation takes a few minutes rather than being near instantaneous on 7.450 when this rule was not being triggered, it does still eventually get through and establish the authenticated session. I'm not sure if this means that, while this IPS rule is being triggered and having some kind of disruptive effect, it's not being 100% effective.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 RFCat_vk_01 over 16 years ago in reply to MarCow

Hi,
I noted and comment on this problem under v7.450.

Ian M
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Astaro Beta Bot over 16 years ago in reply to RFCat_vk_01

Astaro Beta Report
--------------------------------
Version: 7.460
Type: FEATURE
State: ANSWERED
Reporter: Billybob
Contributor: 
MantisID: 
--------------------------------

0 bananahammick over 16 years ago in reply to Astaro Beta Bot

I also noticed when uploading pictures to flickr it triggers SHELLCODE x86 NO, rule 648.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BarryG over 16 years ago in reply to bananahammick

I'm gettting a LOT of alerts... some are against MicroSoft IPs, so I'm pretty sure those are false positives unless they're relayed IM attacks...
SIDs:
1390
6699
5318
1201
6700

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BrucekConvergent over 16 years ago in reply to BarryG

The Shellcode IPS rules should definitely be disabled by default (should be their own category)... shellcode IPS Snort rules are notorious for false positives; I haven't had any yet, but I know this is something I've seen w/ Snort before.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 wingman over 16 years ago in reply to BrucekConvergent

I am getting multiple "SHELLCODE x86 setuid 0" as well

BrucekConvergent,could you please provide more info on that rule?Why should we disable them?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Griff over 16 years ago in reply to wingman

I am also receiving the error for inbound email coming in from my mail relay service that connects on port 587. Attempted to insert an exception for the relay service but the IPS is still sending false positive alerts.

Griff
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel