This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange alerts after IPS updates....

Hi all,

after the last ips patterns update released on friday 12th:


Up2Date 7.165 package description:



RPM packages contained:

 u2d-ips-7.164-165.patch.rpm

I'm getting a lots (hundreds) of IPS alerts like this:


Message........: DOS Microsoft Windows TCP SACK invalid range denial of service attempt

Details........: www.snort.org/.../sigs.cgi

Time...........: 2010:02:15-12:50:44

Packet dropped.: yes

Priority.......: 2 (medium)

Classification.: Attempted Denial of Service

IP protocol....: 6 (TCP)

I'm sure this is a false positive because this alerts is related to a well kown TCP traffic involving an external device to an internal DMZ server.
Again Astaro continues to give an invalid snort link as detail and however in this case, the sid=16408 is not defined in the snort rules (Snort seach)

Does anyone detect this strange behaviour?

This thread was automatically locked due to age.

Parents

0 BAlfson over 15 years ago

The new version of IPS isn't buggy at all - it's more powerful and has more rules to protect against new threats. In our Astaro, I've disabled some rules that didn't seem to be a threat for us (everyone should decide for their situation which rules they feel comfortable disabling):
1437 multimedia
2515 exploit of Microsoft PCT
2579 exploit a heap overflow associated with Kerberos V5.
2707 exploit a known vulnerability in Microsoft GDI using a malformed JPEG image.
4135 attempt is made to exploit a known vulnerability in Internet Explorer ising a jpeg
4136 attempt is made to exploit a known vulnerability in Internet Explorer using a jpeg
5318 exploit a known vulnerability in Microsoft Windows systems via the graphics rendering engine.
6692 exploit a known vulnerability in Windows Media Player.
6697 an attempt is made to return to a web client a file with a Class ID (CLSID) embedded in the file.
12633 exploit a known vulnerability in Image Viewer.
12634 exploit a known vulnerability in Image Viewer.
12798 when shellcode is detected in network traffic.
12799 when shellcode is detected in network traffic.
12800 when shellcode is detected in network traffic.
12801 when shellcode is detected in network traffic.
12802 when shellcode is detected in network traffic.
15462 when shellcode is detected in network traffic.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 15 years ago

The new version of IPS isn't buggy at all - it's more powerful and has more rules to protect against new threats. In our Astaro, I've disabled some rules that didn't seem to be a threat for us (everyone should decide for their situation which rules they feel comfortable disabling):
1437 multimedia
2515 exploit of Microsoft PCT
2579 exploit a heap overflow associated with Kerberos V5.
2707 exploit a known vulnerability in Microsoft GDI using a malformed JPEG image.
4135 attempt is made to exploit a known vulnerability in Internet Explorer ising a jpeg
4136 attempt is made to exploit a known vulnerability in Internet Explorer using a jpeg
5318 exploit a known vulnerability in Microsoft Windows systems via the graphics rendering engine.
6692 exploit a known vulnerability in Windows Media Player.
6697 an attempt is made to return to a web client a file with a Class ID (CLSID) embedded in the file.
12633 exploit a known vulnerability in Image Viewer.
12634 exploit a known vulnerability in Image Viewer.
12798 when shellcode is detected in network traffic.
12799 when shellcode is detected in network traffic.
12800 when shellcode is detected in network traffic.
12801 when shellcode is detected in network traffic.
12802 when shellcode is detected in network traffic.
15462 when shellcode is detected in network traffic.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 kwyrick over 15 years ago in reply to BAlfson

Ok, then exchange the term "false positive" with the word Bugs. The end result is the same.
Cancel
Vote Up 0 Vote Down

Cancel