This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Printing across VLANS triggering IPS Rules

I am running Astaro 7.501. On ETH0 I have 5 VLAN's grouped together into a network group. This network group is assigend as the protected networks in the IPS definitions.

Prior to upgrading to 7.501, I had no issues printing from a Windows XP computer on 1 VLAN to a Brother Network printer located on another VLAN (in the internal networks group). Since 7.501 upgrade, I cannot print across the VLAN with IPS enabled. I deactivated the drop rules and enabled logging only and here is what SNORT is reporting:

2009:11:03-13:46:54 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="SNMP public access udp" group="246" srcip="10.19.11.100" dstip="10.10.11.200" proto="17" srcport="1062" dstport="161" sid="1411" class="Attempted Information Leak" priority="2" generator="1" msgid="0"

2009:11:03-13:49:37 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="ICMP L3retriever Ping" group="420" srcip="10.19.11.100" dstip="10.10.11.122" proto="1" srcport="0" dstport="0" sid="466" class="Attempted Information Leak" priority="2" generator="1" msgid="0"

2009:11:03-13:49:41 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="SNMP public access udp" group="246" srcip="10.19.11.100" dstip="10.10.11.200" proto="17" srcport="1062" dstport="161" sid="1411" class="Attempted Information Leak" priority="2" generator="1" msgid="0"

2009:11:03-13:49:41 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="DOS WIN32 TCP print service overflow attempt" group="520" srcip="10.19.11.100" dstip="10.10.11.200" proto="6" srcport="3111" dstport="515" sid="3442" class="Attempted Denial of Service" priority="2" generator="1" msgid="0"

2009:11:03-13:49:41 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="DOS WIN32 TCP print service overflow attempt" group="520" srcip="10.19.11.100" dstip="10.10.11.200" proto="6" srcport="3111" dstport="515" sid="3442" class="Attempted Denial of Service" priority="2" generator="1" msgid="0"

2009:11:03-13:49:41 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="DOS WIN32 TCP print service overflow attempt" group="520" srcip="10.19.11.100" dstip="10.10.11.200" proto="6" srcport="3111" dstport="515" sid="3442" class="Attempted Denial of Service" priority="2" generator="1" msgid="0"

2009:11:03-13:49:41 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="SNMP public access udp" group="246" srcip="10.19.11.100" dstip="10.10.11.200" proto="17" srcport="1062" dstport="161" sid="1411" class="Attempted Information Leak" priority="2" generator="1" msgid="0"

2009:11:03-13:50:03 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="DOS WIN32 TCP print service overflow attempt" group="520" srcip="10.19.11.100" dstip="10.10.11.200" proto="6" srcport="3131" dstport="515" sid="3442" class="Attempted Denial of Service" priority="2" generator="1" msgid="0"

2009:11:03-13:50:03 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="DOS WIN32 TCP print service overflow attempt" group="520" srcip="10.19.11.100" dstip="10.10.11.200" proto="6" srcport="3131" dstport="515" sid="3442" class="Attempted Denial of Service" priority="2" generator="1" msgid="0"

2009:11:03-13:50:03 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="DOS WIN32 TCP print service overflow attempt" group="520" srcip="10.19.11.100" dstip="10.10.11.200" proto="6" srcport="3131" dstport="515" sid="3442" class="Attempted Denial of Service" priority="2" generator="1" msgid="0"

2009:11:03-13:50:03 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="SNMP public access udp" group="246" srcip="10.19.11.100" dstip="10.10.11.200" proto="17" srcport="1062" dstport="161" sid="1411" class="Attempted Information Leak" priority="2" generator="1" msgid="0"

2009:11:03-13:50:03 marg-sp snort[20525]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="SNMP public access udp" group="246" srcip="10.19.11.100" dstip="10.10.11.200" proto="17" srcport="1062" dstport="161" sid="1411" class="Attempted Information Leak" priority="2" generator="1" msgid="0"

The workstation PC is 10.19.11.100 and the printer is 10.10.11.200. I attempted to create an exclude rule between these two devices in the IPS exclusions tab but had no luck. I would also rather not completely disable IPS on this subnet for compliance reasons. I have another site with the same setup but have not had this problem.

My questions are:
What rule is being triggered?
Is this a rule that needs to be adjusted or fixed (is this an error in 7.501)?
Is there a possibility that I may have an infection on the PC in question?

If I need to provide additional information please let me know

This thread was automatically locked due to age.

Parents

0 BarryG over 15 years ago

http://www.snortid.com/snortid.asp?QueryId=1%3A1411
http://www.snortid.com/snortid.asp?QueryId=1%3A3442

I'd suggest disabling both SIDs in IPS-Advanced.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 skydiver over 15 years ago in reply to BarryG

What happened to the link to the entire Astaro IPS rules and groups that you originally posted? It has links to the SNORT ID site on that page but it was nice to have the entire listing as they are grouped.

I can't tell yet whether this is an error due to a poorly written printer driver yet, so until i can determine why I am getting the error I need to continue to log it. I am running the WHQL print driver so I don't know why this is coming up unless I am infected. Any suggestions?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 skydiver over 15 years ago in reply to BarryG

What happened to the link to the entire Astaro IPS rules and groups that you originally posted? It has links to the SNORT ID site on that page but it was nice to have the entire listing as they are grouped.

I can't tell yet whether this is an error due to a poorly written printer driver yet, so until i can determine why I am getting the error I need to continue to log it. I am running the WHQL print driver so I don't know why this is coming up unless I am infected. Any suggestions?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BarryG over 15 years ago in reply to skydiver

Hi, the entire list for Astaro 7.5x is at
Astaro IPS Rules
(found at https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/39386)

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 skydiver over 15 years ago in reply to BarryG

When you click on the more info... link in the individual rules, it takes you to the snort lookup site.

I am still wondering what is causing this error to happen in the first place. Anyone have any thoughts?
Cancel
Vote Up 0 Vote Down

Cancel