Hello,
yesterday my astaro blocked 100 packets from 83.221.115.5 (that is mailrelay.lastampa.it). In your opinion, shoud it be a false positive? Why IPS detects this attack if destionation ports (59021, but also 59140, 60943 in other log entries) are closed?
Thank you
2009:11:12-08:25:18 myfirewall barnyard[4826]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CLIENT wmf file arbitrary code execution attempt" group="320" srcip="83.221.115.5" dstip="My WAN Address" proto="6" srcport="80" dstport="59021" sid="5318" class="Web Application Attack" priority="1" generator="1" msgid="0"
2009:11:12-08:25:19 myfirewall barnyard[4826]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CLIENT wmf file arbitrary code execution attempt" group="320" srcip="83.221.115.5" dstip="My WAN Address" proto="6" srcport="80" dstport="59021" sid="5318" class="Web Application Attack" priority="1" generator="1" msgid="0"
2009:11:12-08:25:19 myfirewall barnyard[4826]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CLIENT wmf file arbitrary code execution attempt" group="320" srcip="83.221.115.5" dstip="My WAN Address" proto="6" srcport="80" dstport="59021" sid="5318" class="Web Application Attack" priority="1" generator="1" msgid="0"
2009:11:12-08:25:21 myfirewall barnyard[4826]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CLIENT wmf file arbitrary code execution attempt" group="320" srcip="83.221.115.5" dstip="My WAN Address" proto="6" srcport="80" dstport="59021" sid="5318" class="Web Application Attack" priority="1" generator="1" msgid="0"
2009:11:12-08:25:22 myfirewall barnyard[4826]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CLIENT wmf file arbitrary code execution attempt" group="320" srcip="83.221.115.5" dstip="My WAN Address" proto="6" srcport="80" dstport="59021" sid="5318" class="Web Application Attack" priority="1" generator="1" msgid="0"
EMAIL NOTIFICATION
I have additional infos that I have extracted from email notifications (I have replaced my wan ip address with MY WAN IP ADDRESS
Intrusion Protection Alert An intrusion has been detected. The packet has been dropped automatically. You can toggle this rule between "drop" and "alert only" in WebAdmin. Details about the intrusion alert: Message........: WEB-CLIENT wmf file arbitrary code execution attempt Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=5318 Time...........: 2009:11:13-11:00:24 Packet dropped.: yes Priority.......: 1 (high) Classification.: Web Application Attack IP protocol....: 6 (TCP) Source IP address: 83.221.115.5 (mailrelay.lastampa.it) - http://www.dnsstuff.com/tools/ptr.ch?ip=83.221.115.5 - http://www.ripe.net/perl/whois?query=83.221.115.5 - http://ws.arin.net/cgi-bin/whois.pl?queryinput=83.221.115.5 - http://cgi.apnic.net/apnic-bin/whois.pl?search=83.221.115.5 Source port: 80 (http) Destination IP address: MY WAN IP ADDRESS (MYFIREWALL) - http://www.dnsstuff.com/tools/ptr.ch?ip=MY WAN IP ADDRESS - http://www.ripe.net/perl/whois?query=MY WAN IP ADDRESS - http://ws.arin.net/cgi-bin/whois.pl?queryinput=MY WAN IP ADDRESS - http://cgi.apnic.net/apnic-bin/whois.pl?search=MY WAN IP ADDRESS Destination port: 59978 -- System Uptime : 4 days 17 hours 17 minutes System Load : 0.32 System Version : Astaro Security Gateway Appliance 7.405 Please refer to the manual for detailed instructions.
This thread was automatically locked due to age.
