[7.490][BUG][CONFIRMED] IPS false alerts

Yesterday evening I got dozens of false alarms for SHELLCODE base64 x86 NOOP (rules 12799 and 12802). Rule no. 12798 was already disabled earlier.

Result was that IPS blocked the POP3 catcher on my server from downloading the Mails.

Another false alert can be found on the following site: Acer Aspire 1810TZ-412G25N Timeline rot (LX.PJ402.010) Preisvergleich bei Geizhals.at Deutschland

When opening this site, I receive a "EXPLOIT Microsoft Kodak Imaging small offset malformed tiff" (rule 12633). It seems to block the JPG picture on the site, but there is not a single tiff file on it!

Regards,
Bastian

Parents

0 Astaro Beta Bot over 15 years ago

Astaro Beta Report
--------------------------------
Version: 7.490
Type: BUG
State: CONFIRMED
Reporter: Monarch
Contributor: 
MantisID: 11289
--------------------------------

0 RFCat_vk_01 over 15 years ago in reply to Astaro Beta Bot

Hi Monarch,
I have also received that error while browsing the Astaro website.

I have a thread on an earlier beta version where I nominated a bug for my ASG being attacked by the Astaro forum. A new pattern release seemed to have fixed that or Astaro amended the rule.

Regards
Ian M
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BarryG over 15 years ago in reply to RFCat_vk_01

Last week, I started getting lots of alerts about tiffs and pngs... had to disable rules 2707, 12633, and 6692.
That brings my list up to 11 rules disabled due to high false positives.

Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Monarch over 15 years ago in reply to BarryG

Yes, I'm also getting more and more alerts, besides the ones in my first post:

5318: WEB-CLIENT wmf file arbitrary code execution attempt
6692: WEB-CLIENT Malformed PNG detected sRGB overflow attempt
4135: WEB-CLIENT IE JPEG heap overflow single packet attempt
4136: WEB-CLIENT IE JPEG heap overflow multipacket attempt

This really becomes annoying.

Regards,
Bastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Monarch over 15 years ago in reply to BarryG

Yes, I'm also getting more and more alerts, besides the ones in my first post:

5318: WEB-CLIENT wmf file arbitrary code execution attempt
6692: WEB-CLIENT Malformed PNG detected sRGB overflow attempt
4135: WEB-CLIENT IE JPEG heap overflow single packet attempt
4136: WEB-CLIENT IE JPEG heap overflow multipacket attempt

This really becomes annoying.

Regards,
Bastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data