Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 4518 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

different IPS-Errors

HOEBRA
I think I have a similar problem.

2015:07:08-08:17:38 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42616" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:17:19 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42569" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:17:04 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42492" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:16:47 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42431" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:16:31 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42381" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:59:20 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41930" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:59:00 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41663" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:58:09 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41041" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:56:17 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="39002" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:50:55 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="37432" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:49:10 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="36602" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"


Is someone trying to attack from the internal network to the outside?


What tell me these error messages
2015:07:09-07:04:56 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.34" dstip="###.###.###.###" proto="6" srcport="80" dstport="38617" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-07:52:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26649" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:29 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26710" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:36 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26791" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:55 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26913" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:54:22 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26960" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-08:50:58 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.58" dstip="###.###.###.###" proto="6" srcport="80" dstport="29056" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-09:30:22 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="81.30.144.57" dstip="###.###.###.###" proto="6" srcport="80" dstport="40326" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-09:39:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26049" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"


This thread was automatically locked due to age.
  • 0 in reply to HOEBRA
    @Hoebra:  
    What tell me these error messages
    These rules are being triggered on your UTM.  Using the SID number in the logs, you can research about specific rules by going to snort: https://www.snort.org/rule_docs/31977.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Hallo zusammen, ich habe eben erst den deutschen Teil des Forums entdeckt. 

    daher stelle ich meine Frage hier nochmal [:)]

    Kann es sein, das etwas aus dem internen Netz versucht, die ShellShock-Lücke auf externe Server auszunutzen?

    2015:07:08-08:17:38 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42616" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:17:19 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42569" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:17:04 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42492" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:16:47 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42431" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:16:31 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42381" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:59:20 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41930" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:59:00 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41663" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:58:09 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41041" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:56:17 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="39002" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:50:55 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="37432" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:49:10 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="36602" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"




    Was sagen mir diese Meldungen? Die sind ja ausschließlich eingehend. Tauchen aber regelmäßig auf.

    2015:07:09-07:04:56 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.34" dstip="###.###.###.###" proto="6" srcport="80" dstport="38617" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-07:52:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26649" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:29 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26710" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:36 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26791" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:55 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26913" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:54:22 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26960" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-08:50:58 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.58" dstip="###.###.###.###" proto="6" srcport="80" dstport="29056" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-09:30:22 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="81.30.144.57" dstip="###.###.###.###" proto="6" srcport="80" dstport="40326" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-09:39:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26049" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"



    edit: BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt -> https://www.snort.org/rule_docs/26850 (Page not found)
  • 0 in reply to HOEBRA
    Could it be that something is trying from the internal network to exploit the Shellshock gap on the two external server?


    2015:07:08-08:17:38 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42616" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:17:19 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42569" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:17:04 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42492" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:16:47 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42431" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:16:31 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42381" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:59:20 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41930" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:59:00 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41663" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:58:09 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41041" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:56:17 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="39002" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:50:55 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="37432" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:49:10 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="36602" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"



    What tell me these messages? These are only incoming.


    2015:07:09-07:04:56 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.34" dstip="###.###.###.###" proto="6" srcport="80" dstport="38617" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-07:52:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26649" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:29 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26710" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:36 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26791" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:55 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26913" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:54:22 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26960" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-08:50:58 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.58" dstip="###.###.###.###" proto="6" srcport="80" dstport="29056" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-09:30:22 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="81.30.144.57" dstip="###.###.###.###" proto="6" srcport="80" dstport="40326" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-09:39:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26049" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"


    BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt -> https://www.snort.org/rule_docs/26850 (Page not found)
  • 0 in reply to HOEBRA
    UTM uses open source Snort rules for IPS/IDS, nothing Sophos specific.  Using the SID number in the logs, you can research about specific rules by going to snort: https://www.snort.org/rule_docs/31977, and you should've gotten a notification email from the UTM that will have a link in it to get further information.  If neither of these work, Google "Snort SID ".
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    These rules are being triggered on your UTM.  Using the SID number in the logs, you can research about specific rules by going to snort: https://www.snort.org/rule_docs/31977.


    i know, e.g. SID=26850 was not found.
    Can you say me more and understandable?
  • 0 in reply to HOEBRA
    i know, e.g. SID=26850 was not found.
    Can you say me more and understandable?
    These are not UTM created or maintained rules, but ones from the Snort Community rules.  Google "Snort SID " (without quotes). 


    I just noticed that this is a double post, which is not allowed.  Merging this thread with the other one.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to HOEBRA
    OK, again, those were my questions

    Could it be that something is trying from the internal network to exploit the Shellshock gap on the two external server?

    a -> is it from internal to external?
    b -> is it from external to internal?
    c -> shellshock (CVE-2014-6271) YES/NO?




    What tell me these messages? These are only incoming.


    SID 23878 -> not found intrusion-prevention-staendige-meldungen
    SID 26850 -> not found


    SID 23878: DONE
  • 0
    a -> is it from internal to external?
    b -> is it from external to internal?
    Can't tell from the way that the IP has been obfuscated, srcip="87.106.8.42" dstip="###.###.###.###".  If dstip is your IP, then this would be incoming and if so, then some automated vulnerability script is probably trying to target your IP.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    Can't tell from the way that the IP has been obfuscated, srcip="87.106.8.42" dstip="###.###.###.###".  If dstip is your IP, then this would be incoming and if so, then some automated vulnerability script is probably trying to target your IP.



    2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"


    my external IP is the obfuscated
Cookie Information Banner