Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 1338 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

yum shells false IDS drops

donavan
I have a few linux servers that use yum to update, since updating to 7.501 I've run into the following trying to run yum update: 


Error Downloading Packages:

  tcsh-6.14-14.el5_4.2.x86_64: failure: RPMS/tcsh-6.14-14.el5_4.2.x86_64.rpm from updates: [Errno 256] No more mirrors to try.

  rsh-0.17-40.el5.x86_64: failure: CentOS/rsh-0.17-40.el5.x86_64.rpm from base: [Errno 256] No more mirrors to try.

  zsh-4.2.6-3.el5.x86_64: failure: CentOS/zsh-4.2.6-3.el5.x86_64.rpm from base: [Errno 256] No more mirrors to try.

  ksh-20080202-14.el5.x86_64: failure: CentOS/ksh-20080202-14.el5.x86_64.rpm from base: [Errno 256] No more mirrors to try.


I've ignored it for some time due to real world realities.  Tonight I've returned to research and found the culprit. 

2009:12:10-22:32:38 fw4 snort[25416]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CGI tcsh access" group="218" srcip="192.168.25.239" dstip="192.168.56.201" proto="6" srcport="34946" dstport="80" sid="872" class="Attempted Information Leak" priority="2" generator="1" msgid="0"

2009:12:10-22:33:08 fw4 snort[25416]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CGI ksh access" group="218" srcip="192.168.25.239" dstip="192.168.56.201" proto="6" srcport="34947" dstport="80" sid="865" class="Attempted Information Leak" priority="2" generator="1" msgid="0"

2009:12:10-22:33:38 fw4 snort[25416]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CGI zsh access" group="218" srcip="192.168.25.239" dstip="192.168.56.201" proto="6" srcport="34948" dstport="80" sid="1309" class="Attempted Information Leak" priority="2" generator="1" msgid="0"

2009:12:10-22:33:52 fw4 snort[25416]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CGI rsh access" group="218" srcip="192.168.25.239" dstip="192.168.56.201" proto="6" srcport="34945" dstport="80" sid="868" class="Attempted Information Leak" priority="2" generator="1" msgid="0"
 

Does this only happen with yum?


This thread was automatically locked due to age.