Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 4520 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

different IPS-Errors

HOEBRA
I think I have a similar problem.

2015:07:08-08:17:38 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42616" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:17:19 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42569" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:17:04 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42492" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:16:47 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42431" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:16:31 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42381" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:59:20 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41930" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:59:00 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41663" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:58:09 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41041" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:56:17 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="39002" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:50:55 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="37432" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:49:10 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="36602" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"


Is someone trying to attack from the internal network to the outside?


What tell me these error messages
2015:07:09-07:04:56 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.34" dstip="###.###.###.###" proto="6" srcport="80" dstport="38617" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-07:52:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26649" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:29 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26710" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:36 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26791" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:55 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26913" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:54:22 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26960" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-08:50:58 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.58" dstip="###.###.###.###" proto="6" srcport="80" dstport="29056" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-09:30:22 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="81.30.144.57" dstip="###.###.###.###" proto="6" srcport="80" dstport="40326" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-09:39:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26049" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"


This thread was automatically locked due to age.
Parents
  • 0
    a -> is it from internal to external?
    b -> is it from external to internal?
    Can't tell from the way that the IP has been obfuscated, srcip="87.106.8.42" dstip="###.###.###.###".  If dstip is your IP, then this would be incoming and if so, then some automated vulnerability script is probably trying to target your IP.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    Can't tell from the way that the IP has been obfuscated, srcip="87.106.8.42" dstip="###.###.###.###".  If dstip is your IP, then this would be incoming and if so, then some automated vulnerability script is probably trying to target your IP.



    2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"


    my external IP is the obfuscated
Reply
  • 0 in reply to Scott_Klassen
    Can't tell from the way that the IP has been obfuscated, srcip="87.106.8.42" dstip="###.###.###.###".  If dstip is your IP, then this would be incoming and if so, then some automated vulnerability script is probably trying to target your IP.



    2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"


    my external IP is the obfuscated
Children
No Data
Cookie Information Banner