Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 1 reply
  • Subscribers 0 subscribers
  • Views 531 views
  • Users 0 members are here
Options
Suggested

[9.000][ANSWERED] IPS false alarm?

DiePlage
Hello everyone,

downloading this file
http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab
fails because of this (maybe false) IPS alarm:
snort[6340]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CLIENT CAB SIP authenticode alteration attempt

With v9 beta we experience many more IPS alarms, most of them (as far as I can tell) false.

Can anyone comment on this?

Thanks and cheers!
  • 0
    Hi,

    you mean SID 16530?!
    Unfortunately this SID is a binary rule from Sourcefire, I cannot check the rule syntax.

    The rule should close a vulnerability, which allows remote attackers to execute arbitrary code via a modified cabinet (aka .CAB) file.

    I will write to Sourcefire, so that they can check the rule.
    In the mean time you can set it to 'alert only' in the webadmin, then it should be possible to download the file.

    Regards,
    Lukas
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?