This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mac printing causing IPS Rule Blocks

I have a user printing from a MAC to ta sharp printer and every time he does, his printer hangs and I get Snort notifications of CRIT-852.

Rules triggered are:
15890
15888
15889

Any idea why these are causing problems? Once his print queue hangs he is stuck until he reboots.

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 15 years ago

In that case, you'll want to go to Astaro Gateway Feature Requests and create a new feature request. Since that site was created, feature requests made here are generally ignored by the powers that be. Too difficult to keep track of here for the Astaro folks who hang out on the boards.

If you post back the direct link to your request, once created, I'll slide you a vote. [:)]

IPS used to have a much more robust GUI in WebAdmin, but it was seriously dumbed-down due to system resource usage.
Cancel
Vote Up 0 Vote Down

Cancel

0 skydiver over 15 years ago in reply to Scott_Klassen

FYI
Here are the IPS logs entries for the events in question. 10.16.2.140 is my user and 10.10.2.200 is my printer.

2010:04:28-12:06:08 marg ulogd[3328]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" seq="0" initf="eth1" dstmac="00:1a:8c:15[:D]f:01" srcmac="00:1e:4c:18:ce:bb" srcip="128.242.114.243" dstip="67.79.17.221" proto="1" length="68" tos="0x00" prec="0x00" ttl="50" type="3" code="3" 

2010:04:28-12:21:00 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:22:03 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:23:07 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:24:11 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:26:05 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:27:08 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:28:12 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:29:15 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:30:19 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:31:23 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:32:28 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:33:32 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:34:35 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

Reply

0 skydiver over 15 years ago in reply to Scott_Klassen

FYI
Here are the IPS logs entries for the events in question. 10.16.2.140 is my user and 10.10.2.200 is my printer.

2010:04:28-12:06:08 marg ulogd[3328]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" seq="0" initf="eth1" dstmac="00:1a:8c:15[:D]f:01" srcmac="00:1e:4c:18:ce:bb" srcip="128.242.114.243" dstip="67.79.17.221" proto="1" length="68" tos="0x00" prec="0x00" ttl="50" type="3" code="3" 

2010:04:28-12:21:00 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:22:03 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:23:07 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:24:11 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1021" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:26:05 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:27:08 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:28:12 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:29:15 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:30:19 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:31:23 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:32:28 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:33:32 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

2010:04:28-12:34:35 marg snort[1211]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT SAPLPD 0x34 command buffer overflow attempt" group="232" srcip="10.16.2.140" dstip="10.10.2.200" proto="6" srcport="1020" dstport="515" sid="15891" class="Attempted Administrator Privilege Gain" priority="1"  generator="1" msgid="0"

Children

No Data