This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASTARO certificate expired

Hi there,

the "beta.astaro" certificate on the Authentication Server 212.126.210.201:443, originator mgrman@astaro.com, expired on 02-14-2005.

Is this the reason for the false Intrusion Protection Event notifications?

tov

ASL 5.214

This thread was automatically locked due to age.

0 andreas over 18 years ago

Which Intrusion Protection Event notifications do you refer to?

Cheers,
andreas
Cancel
Vote Up 0 Vote Down

Cancel
0 tov over 18 years ago in reply to andreas

Andreas,

"A packet was identified that may be part of an intrusion attempt.
The packet was detected by the Intrusion Detection system. The matching
rule classified this as highest priority level. The packet properties
and the alert reason are:

[1:2515:0] A WEB-MISC PCT Client_Hello overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {PROTO006} 192.168.1.1:47938 -> 212.126.210.201:443"

tov
Cancel
Vote Up 0 Vote Down

Cancel
0 andreas over 18 years ago in reply to tov

Snort ID 2515: (this is also known as: nessus,12205 | cve,2003-0719 | bugtraq,10116)

Microsoft Windows Private Communications Transport Protocol Buffer Overrun Vulnerability
www.microsoft.com/technet/security/bulletin/MS04-011.mspx

As far as I understand (I am not the IDS expert) this is just a false positive which is triggered because parts of the data look similar to packets which can be used to exploit MS Windows Systems. The rule matches on the request, not on the response, so the expired certificate is not the problem.

The expired certificate also has no technical implications to the up2date service, since we don't use SSL to enforce authorisation (up2date packages are gpg signed anyway).

Cheers,
andreas
Cancel
Vote Up 0 Vote Down

Cancel