This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple IPS/IDS Up2dates...

Has anyone else experienced multiple IDS/IPS Up2dates today? Since a little after 5:00am this morning we have had 6 signature updates. I looked at the ruleset list and they all appear to be the same. Thanks.

Brent

This thread was automatically locked due to age.

Parents

0 simby over 18 years ago

General information
-------------------
-

New rules
---------
   11966 - WEB-CLIENT Microsoft Internet Explorer CSS tag memory corruption attempt (web-client.rules)
   12009 - SQL Firebird SQL Fbserver Buffer Overflow (sql.rules)
   12014 - WEB-MISC Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules)

Updated rules
-------------
     228 - DDOS TFN client command BE (ddos.rules)
     251 - DDOS - TFN client command LE (ddos.rules)
    1079 - WEB-MISC WebDAV propfind access (web-misc.rules)
    1248 - WEB-FRONTPAGE rad fp30reg.dll access (web-frontpage.rules)
    4754 - NETBIOS DCERPC NCACN-IP-TCP locator nsi_binding_lookup_begin little endian overflow attempt (netbios.rules)
    4755 - NETBIOS DCERPC NCACN-IP-TCP locator nsi_binding_lookup_begin overflow attempt (netbios.rules)
    4758 - NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX andx overflow attempt (netbios.rules)
    4759 - NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX little endian andx overflow attempt (netbios.rules)
    4760 - NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX little endian overflow attempt (netbios.rules)
    4761 - NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX overflow attempt (netbios.rules)
    4762 - NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX unicode andx overflow attempt (netbios.rules)
    4763 - NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX unicode little endian andx overflow attempt (netbios.rules)
    4764 - NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX unicode little endian overflow attempt (netbios.rules)
    4765 - NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX unicode overflow attempt (netbios.rules)
    4766 - NETBIOS SMB locator nsi_binding_lookup_begin andx overflow attempt (netbios.rules)
    4767 - NETBIOS SMB locator nsi_binding_lookup_begin little endian andx overflow attempt (netbios.rules)
    4768 - NETBIOS SMB locator nsi_binding_lookup_begin little endian overflow attempt (netbios.rules)
    4769 - NETBIOS SMB locator nsi_binding_lookup_begin overflow attempt (netbios.rules)
    4770 - NETBIOS SMB locator nsi_binding_lookup_begin unicode andx overflow attempt (netbios.rules)
    4771 - NETBIOS SMB locator nsi_binding_lookup_begin unicode little endian andx overflow attempt (netbios.rules)
    4772 - NETBIOS SMB locator nsi_binding_lookup_begin unicode little endian overflow attempt (netbios.rules)
    4773 - NETBIOS SMB locator nsi_binding_lookup_begin unicode overflow attempt (netbios.rules)
    4790 - NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX andx overflow attempt (netbios.rules)
    4791 - NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX little endian andx overflow attempt (netbios.rules)
    4792 - NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX little endian overflow attempt (netbios.rules)
    4793 - NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX overflow attempt (netbios.rules)
    4794 - NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX unicode andx overflow attempt (netbios.rules)
    4795 - NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX unicode little endian andx overflow attempt (netbios.rules)
    4796 - NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX unicode little endian overflow attempt (netbios.rules)
    4797 - NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX unicode overflow attempt (netbios.rules)
    4798 - NETBIOS SMB-DS locator nsi_binding_lookup_begin andx overflow attempt (netbios.rules)
    4799 - NETBIOS SMB-DS locator nsi_binding_lookup_begin little endian andx overflow attempt (netbios.rules)
    4800 - NETBIOS SMB-DS locator nsi_binding_lookup_begin little endian overflow attempt (netbios.rules)
    4801 - NETBIOS SMB-DS locator nsi_binding_lookup_begin overflow attempt (netbios.rules)
    4802 - NETBIOS SMB-DS locator nsi_binding_lookup_begin unicode andx overflow attempt (netbios.rules)
    4803 - NETBIOS SMB-DS locator nsi_binding_lookup_begin unicode little endian andx overflow attempt (netbios.rules)
    4804 - NETBIOS SMB-DS locator nsi_binding_lookup_begin unicode little endian overflow attempt (netbios.rules)
    4805 - NETBIOS SMB-DS locator nsi_binding_lookup_begin unicode overflow attempt (netbios.rules)
    4822 - NETBIOS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin little endian overflow attempt (netbios.rules)
    4823 - NETBIOS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (netbios.rules)
    4824 - NETBIOS DCERPC NCADG-IP-UDP v4 locator nsi_binding_lookup_begin little endian overflow attempt (netbios.rules)
    4825 - NETBIOS DCERPC NCADG-IP-UDP v4 locator nsi_binding_lookup_begin overflow attempt (netbios.rules)
    6410 - WEB-FRONTPAGE frontpage server extension long host string overflow attempt (web-frontpage.rules)
    7724 - BACKDOOR reversable ver1.0 runtime detection - initial connection - flowbit set (backdoor.rules)
    8441 - WEB-MISC McAfee header buffer overflow attempt (web-misc.rules)
   10482 - RPC portmap CA BrightStor ARCserve tcp request (rpc.rules)
   10483 - RPC portmap CA BrightStor ARCserve udp request (rpc.rules)
   10484 - RPC portmap CA BrightStor ARCserve tcp procedure 191 attempt (rpc.rules)
   10485 - RPC portmap CA BrightStor ARCserve udp procedure 191 attempt (rpc.rules)
   11616 - WEB-MISC Symantec Sygate Policy Manager SQL injection (web-misc.rules)
   11834 - WEB-MISC Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules)
   11836 - MISC Visio version number anomaly (misc.rules)

Deleted rules
-------------
    7725 - BACKDOOR reversable ver1.0 runtime detection - initial connection (backdoor.rules)
   10158 - NETBIOS SMB writex possible Snort dcerpc preprocessor overflow attempt (netbios.rules)
   10159 - NETBIOS SMB-DS writex possible Snort dcerpc preprocessor overflow attempt (netbios.rules)
   10160 - NETBIOS-DG SMB writex possible Snort dcerpc preprocessor overflow attempt (netbios.rules)
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 18 years ago in reply to simby

Same here. Still doing it today as well.

I definately think that something is not right. The most recent V7 IPS list from Astaro shows as being modified on 27 June. On my 220 (6.304), the IPS definitions show as being dated Tue Jun 19 06:47:15 2007, with this recurring download and application of the update Simby posted above. Could anyone else still on 6.X chime in with their definition date, found on the up2date page in webadmin?

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 Gregg_01 over 18 years ago in reply to Scott_Klassen

I've been seeing the same thing for the past three days.

Tue Jun 19 07:47:15 2007

My box is running 6.305
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 18 years ago in reply to Gregg_01

After applying up2date 6.306, my IPS definitions updated properly to Thu Jun 28 03:30:08 2007. Must have fixed whatever was wrong.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 VelvetFog over 18 years ago in reply to Scott_Klassen

After applying up2date 6.306, my IPS definitions updated properly to Thu Jun 28 03:30:08 2007. Must have fixed whatever was wrong.
Same here.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 VelvetFog over 18 years ago in reply to Scott_Klassen

After applying up2date 6.306, my IPS definitions updated properly to Thu Jun 28 03:30:08 2007. Must have fixed whatever was wrong.
Same here.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Gregg_01 over 18 years ago in reply to VelvetFog

Not here. Still showing June 19th and there were a number of downloads during the night.
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 18 years ago in reply to Gregg_01

If you haven't done so already, try rebooting the Astaro Gregg after applying 6.306. Hopefully the reinitialization of everything will clear out the problem for you.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 Gregg_01 over 18 years ago in reply to Scott_Klassen

Hi, Scott-

I had actually rebooted just after the upgrade. Just wanted to report that I had three more attempts to download/install last night:

4:27am
4:28am (yes, one minute later)
5:28am

What's got me stumped is that I'd think that we'd see it trying to update the defs every hour after an Up-2-Date was attempted as opposed to just a few times a day.
Cancel
Vote Up 0 Vote Down

Cancel