This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Download files - *.rar extension + IPS rule 9998

Astaro 6.105

If the Intrusion Protection Rule - " MULTIMEDIA realplayer .ra download attempt - ID 9998 " to be in a condition enable and "action" in a condition - drop at loading a file of type with expansion ".rar" it is seen in a file ips.log the message:

2006:03:09-15:13:21 (none) snort [23219]: [1:9998:0] A MULTIMEDIA realplayer .ra download attempt [Classification: Misc activity] [Priority: 3]:  {PROTO006} 192.168.xxx.xxx:1485-> xxx.xxx.xxx.xxx:80
2006:03:09-15:13:25 (none) snort [23219]: [1:9998:0] A MULTIMEDIA realplayer .ra download attempt [Classification: Misc activity] [Priority: 3]:  {PROTO006} 192.168.xxx.xxx:1486-> xxx.xxx.xxx.xxx:80
2006:03:09-15:13:26 (none) snort [23219]: [1:9998:0] A MULTIMEDIA realplayer .ra download attempt [Classification: Misc activity] [Priority: 3]:  {PROTO006} 192.168.xxx.xxx:1487-> xxx.xxx.xxx.xxx:80
2006:03:09-15:13:27 (none) snort [23219]: [1:9998:0] A MULTIMEDIA realplayer .ra download attempt [Classification: Misc activity] [Priority: 3]:  {PROTO006} 192.168.xxx.xxx:1488-> xxx.xxx.xxx.xxx:80
2006:03:09-15:13:31 (none) snort [23219]: [1:9998:0] A MULTIMEDIA realplayer .ra download attempt [Classification: Misc activity] [Priority: 3]:  {PROTO006} 192.168.xxx.xxx:1489-> xxx.xxx.xxx.xxx:80

And the file is not loaded

This thread was automatically locked due to age.

Parents

0 NimmdirKeks over 19 years ago

Strange, never had this filter triggered by a *.rar download. But will test it again.

Tested it, didn't get triggered by *.rar download. Latest IPS patterns.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 NimmdirKeks over 19 years ago

Strange, never had this filter triggered by a *.rar download. But will test it again.

Tested it, didn't get triggered by *.rar download. Latest IPS patterns.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data