This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[7.305] IPS rules too aggressive

I've been pulling my hair out for several hours, trying to figure out why the web servers I'm setting up behind Astaro stopped working...

I was viewing the "Apache 2 Test Page" on the servers, and setting up NAT, etc. on the firewall, and suddenly the test page stopped working, but sniffers showed the http traffic flowing.

It turns out that it broke when I enabled the IPS, because the Apache Test Page uses a http 403 response for whatever reason.

This leads me to wonder why the snort rule "ATTACK-RESPONSES 403 Forbidden" is set to DROP in the IPS... this seems extreme.

Did I accidentally screw it up, or is that how it's setup?

Thanks,
Barry

This thread was automatically locked due to age.

0 Jack Daniel over 16 years ago

You didn't screw up, the behavior of SID 1201 is a bit aggressive for many. Since it is "only" a recon, not an active attack, you may want to simply disable the SID.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 16 years ago in reply to Jack Daniel

OK; I modified the rule to alert.

ISTM that it should be set to ALERT, not DROP, by default.

BTW, where do the alerts go? I'm not getting any emails on them, but I do get emails for backups and executive reports.

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 16 years ago in reply to BarryG

You can configure where IPS alerts go (and whether you get them) under Management/Notifications...
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 16 years ago in reply to BrucekConvergent

Ahh... quite different than v6... I'll set it up to email the CRIT ones.

I also see settings for an "external SMTP server" there; I'm assuming using that replaces the need to set a smarthost in the smtp settings when not actually using the smtp proxy?

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel