Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 2 subscribers
  • Views 2734 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mac printing causing IPS Rule Blocks

skydiver
I have a user printing from a MAC to ta sharp printer and every time he does, his printer hangs and I get Snort notifications of CRIT-852.

Rules triggered are:
15890
15888
15889

Any idea why these are causing problems?  Once his print queue hangs he is stuck until he reboots.


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Scott_Klassen
    FYI
    Here are the IPS logs entries for the events in question.  10.16.2.140 is my user and 10.10.2.200 is my printer. 

    2010:04:28-12:06:08 marg ulogd[3328]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" seq="0" initf="eth1" dstmac="00:1a:8c:15[:D]f:01" srcmac="00:1e:4c:18:ce:bb" srcip="128.242.114.243" dstip="67.79.17.221" proto="1" length="68" tos="0x00" prec="0x00" ttl="50" type="3" code="3" 

    2010:04:28-12:21:00 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:22:03 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:23:07 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:24:11 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:26:05 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:27:08 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:28:12 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:29:15 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:30:19 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:31:23 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:32:28 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:33:32 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

    2010:04:28-12:34:35 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"
Cookie Information Banner