Dear all,
today I experienced a dramatic behavior of IPS in Astaro starting from 1:34pm UTC.
From that moment on, all the connection coming from my web servers to my oracle cluster had been blocked by IPS with the following reason "ORACLE auth_sesskey buffer overflow attempt".
My web servers are all running linux and oracle client 11.1. Windows machines where not impacted except one which is running Windows XP and oracle client 10.2.
Other machines running Oracle SQL Developer and
Here below you can find an extraction from the log.
2009:11:25-13:34:10 dcfw-ast01-2 snort[26549]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="ORACLE auth_sesskey buffer overflow attempt" group="232" srcip="xx.xx.20.25" dstip="xx.xx.10.130" proto="6" srcport="53977" dstport="1521" sid="16309" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
This behavior is scary and happened all of a sudden. Systems are running since 20 months with same IPS config on Astaro. No updates on servers or Astaro were done in the past 10 days.
To understand what happened I checked on up2date log and found this:
2009:11:25-13:33:27 dcfw-ast01-2 audld[25550]: id="3707" severity="info" sys="system" sub="up2date" name="Successfully synchronized fileset" status="success" action="download" package="ips"
2009:11:25-13:33:27 dcfw-ast01-2 auisys[26423]: Starting Up2Date Package Installer (Version 1.65)
2009:11:25-13:33:28 dcfw-ast01-2 auisys[26423]: Searching for available up2date packages for type 'mpfc'
2009:11:25-13:33:28 dcfw-ast01-2 auisys[26423]: id="371D" severity="info" sys="system" sub="up2date" name="No up2date packages available for installation" status="failed" action="preinst_check" package="mpfc"
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Searching for available up2date packages for type 'ips'
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Installing up2date package file '/var/up2date//ips/u2d-ips-7.158.tgz.gpg'
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Verifying up2date package signature
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Unpacking installation instructions
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Unpacking up2date package container
2009:11:25-13:33:33 dcfw-ast01-2 auisys[26423]: Running pre-installation checks
2009:11:25-13:33:34 dcfw-ast01-2 auisys[26423]: Starting up2date package installation
2009:11:25-13:33:52 dcfw-ast01-2 auisys[26423]: id="371Z" severity="info" sys="system" sub="up2date" name="Successfully installed Up2Date package" status="success" action="install" package_version="7.158" package="ips"
2009:11:25-13:33:52 dcfw-ast01-2 auisys[26423]: New Pattern Up2Dates installed
Might this update be the reason for this horrible behavior?
What am I supposed to do to restore IPS, wait for the next patter update?
Please help.
Roberto
This thread was automatically locked due to age.
