ASG 8.102, SMTP-Proxy enabled, ASG (192.168.130.1) is acting as MX and relays mails to an internal SMTP-Server (192.168.130.101).
Tonight, IPS blocked Astaros SMTP-Proxy from relaying one email to the internal SMTP-Server with the following intrusion prevention alert:
##################################
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: SMTP Microsoft Outlook Web Access From field cross-site scripting attempt
Details........: Snort ::
Time...........: 2011:02:23-06:07:00
Packet dropped.: yes
Priority.......: 2medium
Classification.: Misc Attack
IP protocol....: 6 (TCP)
Source IP address: 192.168.130.1 (mx)
- Where are my results?
- Query the RIPE Database
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=192.168.130.1
- APNIC - Query the APNIC Whois Database
Source port: 44456
Destination IP address: 192.168.130.101
- Where are my results?
- Query the RIPE Database
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=192.168.130.101
- APNIC - Query the APNIC Whois Database
Destination port: 25 (smtp)
##################################
All other emails seem to get through with no problems.
I tried to look this IDS rule up but the Snort-Website tells me that "This rule does not exist in our database.".
So now I'm unsure whether it is a false positive and whether I should release the mail by temporarily disabling snort.
Any hints are welcome!!
Cheers!
This thread was automatically locked due to age.
