Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 9 replies
  • Subscribers 0 subscribers
  • Views 950 views
  • Users 0 members are here
Options
Suggested

[7.480][BUG][FIXED] IPS Intermitently blocking POP email

PremiereSystems
The problem itermitently happens when recieveing POP email through Outlook 2003 and typically occurs with large abounts of messages or mesages with large attachments. Symptoms are mail transfer speeds drop from 100's of KB/s to 50 bytes/s. In the case of below it was triggered by an email with jpg images attached however in the past mail without attachements of any type.


2009:08:18-10:36:01 astaropss snort[23675]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SHELLCODE base64 x86 NOOP" group="120" srcip="2xx.1xx.xx.xx" dstip="1xx.1xx.1xx.2xx" proto="6" srcport="110" dstport="1086" sid="12800" class="Executable code was detected" priority="1" generator="1" msgid="0

I'm not sure what more information you need, but this config has 2 internet connections configured in multipath mode.

This problem has been happening since the first beta and didn't  happened with 7.3
Parents Reply
  • 0 in reply to BrucekConvergent
    I highly recommend that Astaro split out the category of "Shellcode" rules in the IPS  (make it it's own checkbox)... shellcode rules are prone to false positives.


    I really advocate for this, too! When I don't disable the shellcode rule, I receive excessive false alarms (already thought about opening an extra thread), which seem to be connected to my DynDNS updater querying for the external IP address.

    Regards,
    Bastian
Children
No Data
Unfiltered HTML