Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 4518 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

different IPS-Errors

HOEBRA
I think I have a similar problem.

2015:07:08-08:17:38 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42616" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:17:19 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42569" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:17:04 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42492" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:16:47 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42431" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:08-08:16:31 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42381" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:59:20 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41930" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:59:00 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41663" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:58:09 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41041" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:56:17 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="39002" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:50:55 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="37432" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:07-12:49:10 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="36602" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"


Is someone trying to attack from the internal network to the outside?


What tell me these error messages
2015:07:09-07:04:56 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.34" dstip="###.###.###.###" proto="6" srcport="80" dstport="38617" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-07:52:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26649" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:29 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26710" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:36 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26791" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:53:55 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26913" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-07:54:22 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26960" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
2015:07:09-08:50:58 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.58" dstip="###.###.###.###" proto="6" srcport="80" dstport="29056" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-09:30:22 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="81.30.144.57" dstip="###.###.###.###" proto="6" srcport="80" dstport="40326" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:07:09-09:39:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26049" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"


This thread was automatically locked due to age.
Parents
  • 0
    Hallo zusammen, ich habe eben erst den deutschen Teil des Forums entdeckt. 

    daher stelle ich meine Frage hier nochmal [:)]

    Kann es sein, das etwas aus dem internen Netz versucht, die ShellShock-Lücke auf externe Server auszunutzen?

    2015:07:08-08:17:38 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42616" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:17:19 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42569" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:17:04 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42492" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:16:47 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42431" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:08-08:16:31 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="212.1.40.2" proto="6" srcport="42381" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:59:20 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41930" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:59:00 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41663" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:58:09 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="41041" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:56:17 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="39002" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:54:35 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="38436" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:50:55 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="37432" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:07-12:49:10 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="###.###.###.###" dstip="217.114.208.8" proto="6" srcport="36602" dstport="80" sid="31977" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"




    Was sagen mir diese Meldungen? Die sind ja ausschließlich eingehend. Tauchen aber regelmäßig auf.

    2015:07:09-07:04:56 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.34" dstip="###.###.###.###" proto="6" srcport="80" dstport="38617" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-07:52:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26649" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:29 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26710" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:36 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26791" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:53:55 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26913" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-07:54:22 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26960" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2015:07:09-08:50:58 OurFirewall snort[24699]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="185.29.133.58" dstip="###.###.###.###" proto="6" srcport="80" dstport="29056" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-09:30:22 OurFirewall snort[24694]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt" group="110" srcip="81.30.144.57" dstip="###.###.###.###" proto="6" srcport="80" dstport="40326" sid="23878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2015:07:09-09:39:58 OurFirewall snort[24690]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt" group="320" srcip="87.106.8.42" dstip="###.###.###.###" proto="6" srcport="80" dstport="26049" sid="26850" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"



    edit: BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt -> https://www.snort.org/rule_docs/26850 (Page not found)
  • 0 in reply to HOEBRA
    @Hoebra:  
    What tell me these error messages
    These rules are being triggered on your UTM.  Using the SID number in the logs, you can research about specific rules by going to snort: https://www.snort.org/rule_docs/31977.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Reply Children
No Data
Cookie Information Banner