Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 2 subscribers
  • Views 100039 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newbie IPS question

wingman
I have the IPS default policy to drop silently and all the attack patterns are set to drop. However, the following attack was not dropped as I would expect.I am doing something wrong?

192.168.1.60 is the Wan interface of ASG



2009:03:19-23:08:06 Astaro barnyard[4095]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="ICMP Destination Unreachable Communication Administratively Prohibited" group="420" srcip="91.18.54.6" dstip="192.168.1.60" proto="1" srcport="3" dstport="13" sid="485" class="Misc activity" priority="3" generator="1" msgid="0"
2009:03:19-23:12:57 Astaro barnyard[4095]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="ICMP Destination Unreachable Communication Administratively Prohibited" group="420" srcip="91.18.54.6" dstip="192.168.1.60" proto="1" srcport="3" dstport="13" sid="485" class="Misc activity" priority="3" generator="1" msgid="0" 



Intrusion Protection Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: ICMP Destination Unreachable Communication Administratively Prohibited
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=485
Time...........: 2009:03:19-23:12:57
Packet dropped.: no
Priority.......: 3 (low)
Classification.: Misc activity
IP protocol....: 1 (ICMP)

Source IP address: 91.18.54.6 (p5B123606.dip0.t-ipconnect.de)
http://www.dnsstuff.com/tools/ptr.ch?ip=91.18.54.6
http://www.ripe.net/perl/whois?query=91.18.54.6
http://ws.arin.net/cgi-bin/whois.pl?queryinput=91.18.54.6
http://cgi.apnic.net/apnic-bin/whois.pl?search=91.18.54.6
Source port: 3
Destination IP address: 192.168.1.60 (Astaro)
http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.1.60
http://www.ripe.net/perl/whois?query=192.168.1.60
http://ws.arin.net/cgi-bin/whois.pl?queryinput=192.168.1.60
http://cgi.apnic.net/apnic-bin/whois.pl?search=192.168.1.60
Destination port: 13



Can someone confirm that the following is the way to solve the issue:

network security>>Intrusion Protection>>advanced and add the relevant rules id (2103,2102,3264,3335) with drop action


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to wingman
    Wingman, I submitted the inability to disable notification as a potential bug last week after I did a little test because of tubyyy's post.  Astaro Support US emailed me today that they had confirmed it.

    Depending on your situation, it's likely that there is "good" traffic that gets dumped if you haven't tuned your IPS already.

    Cheers - Bob
  • 0 in reply to BAlfson
    Wingman, I submitted the inability to disable notification as a potential bug last week after I did a little test because of tubyyy's post.  Astaro Support US emailed me today that they had confirmed it.

    Depending on your situation, it's likely that there is "good" traffic that gets dumped if you haven't tuned your IPS already.

    Cheers - Bob


    thanks for the reply BAlfson

    I am still getting only alerts and all fields are on drop action and NOT alert

    I will try to investigate further. Do you have similiar issues?