[7.490][BUG][CONFIRMED] IPS false alerts

Yesterday evening I got dozens of false alarms for SHELLCODE base64 x86 NOOP (rules 12799 and 12802). Rule no. 12798 was already disabled earlier.

Result was that IPS blocked the POP3 catcher on my server from downloading the Mails.

Another false alert can be found on the following site: Acer Aspire 1810TZ-412G25N Timeline rot (LX.PJ402.010) Preisvergleich bei Geizhals.at Deutschland

When opening this site, I receive a "EXPLOIT Microsoft Kodak Imaging small offset malformed tiff" (rule 12633). It seems to block the JPG picture on the site, but there is not a single tiff file on it!

Regards,
Bastian

Parents

0 Monarch over 15 years ago

At the moment POP3 is again being blocked by IPS, rule no. FYI:

12801: SHELLCODE base64 x86 NOOP

Regards,
Bastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BrucekConvergent over 15 years ago in reply to Monarch

Shellcode rules should be their own subcategory in the IPS configuration; they are troublesome at best (false postives abound)... we should be able to disable them all with a single checkbox selection.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Monarch over 15 years ago in reply to BrucekConvergent

Further rules:

15462: WEB-CLIENT Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt
12634: EXPLOIT Microsoft Kodak Imaging large offset malformed tiff 2
1437: MULTIMEDIA Windows Media download (what's so bad with that!?)
6697: WEB-CLIENT Malformed PNG detected sPLT overflow attempt
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 RFCat_vk_01 over 15 years ago in reply to Monarch

Hi,
Interestingly some of your IPS rules have different numbers to mine.
Your 12801 is 12798 on my ASG, just disabled it to get a pop3 message through.
I have been through disabling some more which have the same rule numbers you identified.

Ian M
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 PabloDiablo over 15 years ago in reply to RFCat_vk_01

Hi,
I get a lot of the following IPS notifications/drops:

"WEB-MISC SSLv3 invalid Client_Hello attempt"

My web server is only accepting SSL. It's really annoying [:(] In V7.4x I didn't have this issue.
Is there to disable this particular alert? If yes; how?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BarryG over 15 years ago in reply to PabloDiablo

Hi fobe, rules can be disabled under the 'advanced' IPS page. You'll need the rule #/sid from the alert.

Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BarryG over 15 years ago in reply to BarryG

A few days ago, I started getting lots of false positives for
SPECIFIC-THREATS Quicktime color table id memory corruption attempt
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=16006

in 7.490

None of the sites I was browsing at the time had any Quicktime content, and I don't have QT installed on my PCs.

Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 BarryG over 15 years ago in reply to BarryG

A few days ago, I started getting lots of false positives for
SPECIFIC-THREATS Quicktime color table id memory corruption attempt
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=16006

in 7.490

None of the sites I was browsing at the time had any Quicktime content, and I don't have QT installed on my PCs.

Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data