Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 2 subscribers
  • Views 100038 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newbie IPS question

wingman
I have the IPS default policy to drop silently and all the attack patterns are set to drop. However, the following attack was not dropped as I would expect.I am doing something wrong?

192.168.1.60 is the Wan interface of ASG



2009:03:19-23:08:06 Astaro barnyard[4095]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="ICMP Destination Unreachable Communication Administratively Prohibited" group="420" srcip="91.18.54.6" dstip="192.168.1.60" proto="1" srcport="3" dstport="13" sid="485" class="Misc activity" priority="3" generator="1" msgid="0"
2009:03:19-23:12:57 Astaro barnyard[4095]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="ICMP Destination Unreachable Communication Administratively Prohibited" group="420" srcip="91.18.54.6" dstip="192.168.1.60" proto="1" srcport="3" dstport="13" sid="485" class="Misc activity" priority="3" generator="1" msgid="0" 



Intrusion Protection Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: ICMP Destination Unreachable Communication Administratively Prohibited
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=485
Time...........: 2009:03:19-23:12:57
Packet dropped.: no
Priority.......: 3 (low)
Classification.: Misc activity
IP protocol....: 1 (ICMP)

Source IP address: 91.18.54.6 (p5B123606.dip0.t-ipconnect.de)
http://www.dnsstuff.com/tools/ptr.ch?ip=91.18.54.6
http://www.ripe.net/perl/whois?query=91.18.54.6
http://ws.arin.net/cgi-bin/whois.pl?queryinput=91.18.54.6
http://cgi.apnic.net/apnic-bin/whois.pl?search=91.18.54.6
Source port: 3
Destination IP address: 192.168.1.60 (Astaro)
http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.1.60
http://www.ripe.net/perl/whois?query=192.168.1.60
http://ws.arin.net/cgi-bin/whois.pl?queryinput=192.168.1.60
http://cgi.apnic.net/apnic-bin/whois.pl?search=192.168.1.60
Destination port: 13



Can someone confirm that the following is the way to solve the issue:

network security>>Intrusion Protection>>advanced and add the relevant rules id (2103,2102,3264,3335) with drop action


This thread was automatically locked due to age.
  • 0 in reply to BarryG
    The "ICMP Destination Unreachable Communication Administratively Prohibited" rule can be a nuisance. I have it disabled.

    I'm not sure what you're trying to accomplish... is your torrent client working or not?

    Barry


    I have my desktop pc (192.168.2.40) which has a torrent (utorrent) client. I have the dnat rule and packet filters and everything works fine. I am just getting those blocked attacks for this specific host.
  • 0 in reply to wingman
    OK. Aside from disabling that rule (which it sounds like you're trying to do), I would also look at the IPS log and try to figure out if it's coming from people trying to hit your network, or from you trying to hit other networks.

    Barry
  • 0 in reply to BarryG
    OK. Aside from disabling that rule (which it sounds like you're trying to do), I would also look at the IPS log and try to figure out if it's coming from people trying to hit your network, or from you trying to hit other networks.

    Barry


    Hello Barry

    Below is part of the IPS log

    2009:04:15-00:00:03 Astaro ulogd[3235]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.40" dstip="77.49.209.175" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="20000" dstport="41493" tcpflags="SYN" 
    2009:04:15-00:00:03 Astaro ulogd[3235]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.40" dstip="77.49.35.102" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="20000" dstport="49899" tcpflags="SYN" 
    2009:04:15-00:00:03 Astaro ulogd[3235]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.40" dstip="94.68.157.231" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="20000" dstport="39817" tcpflags="SYN" 
    2009:04:15-00:00:03 Astaro ulogd[3235]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.40" dstip="92.118.18.87" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="20000" dstport="29577" tcpflags="SYN" 
    2009:04:15-00:00:04 Astaro ulogd[3235]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.40" dstip="94.70.38.156" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="20000" dstport="47917" tcpflags="SYN"
    2009:04:15-00:00:04 Astaro ulogd[3235]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.40" dstip="94.70.38.156" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="20000" dstport="47917" tcpflags="SYN" 
    2009:04:15-00:02:59 Astaro barnyard[16353]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited" group="420" srcip="74.77.49.156" dstip="192.168.2.40" proto="1" srcport="3" dstport="10" sid="486" class="Misc activity" priority="3"  generator="1" msgid="0"
    2009:04:15-00:04:56 Astaro barnyard[16353]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="ICMP Destination Unreachable Communication Administratively Prohibited" group="420" srcip="79.166.5.141" dstip="192.168.2.40" proto="1" srcport="3" dstport="13" sid="485" class="Misc activity" priority="3"  generator="1" msgid="0"
    2009:04:15-00:04:58 Astaro barnyard[16353]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="ICMP Destination Unreachable Communication Administratively Prohibited" group="420" srcip="79.166.5.141" dstip="192.168.2.40" proto="1" srcport="3" dstport="13" sid="485" class="Misc activity" priority="3"  generator="1" msgid="0"



    ICMP alerts have 192.168.2.40 as a destination (torrent client).However, there are several port scan with source ip 192.168.2.40. Not sure whether utorrent uses port scan in any way
  • 0 in reply to wingman
    Assuming 79.166.5.141 is a remote host, then I'd recommend disabling the "ICMP Destination Unreachable Communication Administratively Prohibited" rule... it's designed to alert when you have a server which may be being scanned, or if you had a scanner internally... in your case it's actually a remote host which is creating the ICMP packet, and your firewall is alerting.
    The ICMP packets are harmless, and I'd recommend turning off the alerts.

    As far as the portscan detections, you can either:
    1. create an exception in Astaro
    2. ignore them
    3. try to tune your p2p client to make less connections, or less frequently.

    Barry
  • 0 in reply to BarryG
    Assuming 79.166.5.141 is a remote host, then I'd recommend disabling the "ICMP Destination Unreachable Communication Administratively Prohibited" rule... it's designed to alert when you have a server which may be being scanned, or if you had a scanner internally... in your case it's actually a remote host which is creating the ICMP packet, and your firewall is alerting.
    The ICMP packets are harmless, and I'd recommend turning off the alerts.

    As far as the portscan detections, you can either:
    1. create an exception in Astaro
    2. ignore them
    3. try to tune your p2p client to make less connections, or less frequently.

    Barry


    HI Barry

    Thank you for the answer, I will disable the alert and I will tune my utorrent client to make less connections.
  • 0 in reply to wingman
    On the network security>>Intrusion Protection>>advanced when you create a rule under the Manual rule modification box and you tick the disabled notification, the summary view says that notification is on. (I've attached a picture).I am using v 7.401. Not sure if it's a known bug


    Hey guys

    Any ideas on when Astaro will resolve that bug? The same issue remains on v7.402 (when you click edit all option go to the default option rather than the one you have set)