Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 4520 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

different IPS-Errors

HOEBRA
I think I have a similar problem.

2015:07:08-08:17:38 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42616" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:17:19 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42569" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:17:04 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42492" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:16:47 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42431" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:16:31 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42381" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:59:20 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41930" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:59:00 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41663" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:58:09 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41041" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:56:17 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="39002" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:50:55 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="37432" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:49:10 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="36602" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"


Is someone trying to attack from the internal network to the outside?


What tell me these error messages
2015:07:09-07:04:56 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.34" dstip="###.###.###.###" proto="6" srcport="80" dstport="38617" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-07:52:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26649" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:29 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26710" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:36 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26791" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:55 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26913" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:54:22 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26960" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-08:50:58 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.58" dstip="###.###.###.###" proto="6" srcport="80" dstport="29056" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-09:30:22 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="81.30.144.57" dstip="###.###.###.###" proto="6" srcport="80" dstport="40326" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-09:39:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26049" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"


This thread was automatically locked due to age.
Parents
  • 0
    Hallo zusammen, ich habe eben erst den deutschen Teil des Forums entdeckt. 

    daher stelle ich meine Frage hier nochmal [:)]

    Kann es sein, das etwas aus dem internen Netz versucht, die ShellShock-Lücke auf externe Server auszunutzen?

    2015:07:08-08:17:38 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42616" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:17:19 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42569" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:17:04 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42492" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:16:47 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42431" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:16:31 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42381" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:59:20 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41930" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:59:00 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41663" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:58:09 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41041" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:56:17 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="39002" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:50:55 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="37432" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:49:10 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="36602" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"




    Was sagen mir diese Meldungen? Die sind ja ausschließlich eingehend. Tauchen aber regelmäßig auf.

    2015:07:09-07:04:56 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.34" dstip="###.###.###.###" proto="6" srcport="80" dstport="38617" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-07:52:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26649" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:29 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26710" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:36 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26791" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:55 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26913" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:54:22 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26960" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-08:50:58 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.58" dstip="###.###.###.###" proto="6" srcport="80" dstport="29056" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-09:30:22 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="81.30.144.57" dstip="###.###.###.###" proto="6" srcport="80" dstport="40326" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-09:39:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26049" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"



    edit: BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt -> https://www.snort.org/rule_docs/26850 (Page not found)
  • 0 in reply to HOEBRA
    Could it be that something is trying from the internal network to exploit the Shellshock gap on the two external server?


    2015:07:08-08:17:38 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42616" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:17:19 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42569" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:17:04 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42492" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:16:47 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42431" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:16:31 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42381" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:59:20 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41930" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:59:00 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41663" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:58:09 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41041" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:56:17 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="39002" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:50:55 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="37432" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:49:10 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="36602" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"



    What tell me these messages? These are only incoming.


    2015:07:09-07:04:56 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.34" dstip="###.###.###.###" proto="6" srcport="80" dstport="38617" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-07:52:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26649" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:29 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26710" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:36 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26791" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:55 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26913" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:54:22 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26960" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-08:50:58 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.58" dstip="###.###.###.###" proto="6" srcport="80" dstport="29056" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-09:30:22 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="81.30.144.57" dstip="###.###.###.###" proto="6" srcport="80" dstport="40326" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-09:39:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26049" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"


    BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt -> https://www.snort.org/rule_docs/26850 (Page not found)
  • 0 in reply to HOEBRA
    UTM uses open source Snort rules for IPS/IDS, nothing Sophos specific.  Using the SID number in the logs, you can research about specific rules by going to snort: https://www.snort.org/rule_docs/31977, and you should've gotten a notification email from the UTM that will have a link in it to get further information.  If neither of these work, Google "Snort SID ".
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    These rules are being triggered on your UTM.  Using the SID number in the logs, you can research about specific rules by going to snort: https://www.snort.org/rule_docs/31977.


    i know, e.g. SID=26850 was not found.
    Can you say me more and understandable?
  • 0 in reply to HOEBRA
    i know, e.g. SID=26850 was not found.
    Can you say me more and understandable?
    These are not UTM created or maintained rules, but ones from the Snort Community rules.  Google "Snort SID " (without quotes). 


    I just noticed that this is a double post, which is not allowed.  Merging this thread with the other one.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Reply Children
No Data
Cookie Information Banner