This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Protection Alert (Email) Change in ASG 8.2

Hello,

I recently upgraded my ASG box to ASG 8.2.  I am continually getting email about Intrusion Prevention Alerts of varying priority.  On the previous version, I wasn't getting these and haven't changed my notifications.  Below is an example.  Did something change in ASG 8.2?

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: WEB-CLIENT HTML DOM invalid DHTML comment creation attempt
Details........: Snort ::
Time...........: 2011:08:23-10:24:25
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain IP protocol....: 6 (TCP)

Source IP address: 98.129.63.179
- Where are my results?
- Database Query
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=98.129.63.179
- APNIC - Query the APNIC Whois Database
Source port: 80 (http)
Destination IP address: 192.X.X.X
- Where are my results?
- Database Query
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=192.X.X.X
- APNIC - Query the APNIC Whois Database
Destination port: 58418

--
System Uptime      : 3 days 8 hours 0 minutes
System Load        : 0.22
System Version     : Astaro Security Gateway 8.201

Please refer to the manual for detailed instructions.

This thread was automatically locked due to age.

Parents

0 mehrzad over 13 years ago

Dear all
hi,
I have a problem with Intrusion Prevention and now I'm so concern. We have many attacks over day and till today we thought that the attacks are dropped. But today, after enabling notification for just an hour, we received many emails like this:

******************
Intrusion Prevention Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: POP3 login brute force attempt
Details........: Snort ::
Time...........: 2012:01:25-08:38:44
Packet dropped.: no
Priority.......: medium
Classification.: An attempted login using a suspicious username was detected
IP protocol....: 6 (TCP)
**********************
This notification says that the packet has not been dropped ! But i checked it in webadmin and all rules action were "drop".
we use asg 525 and our software is update.
any idea?
sorry for my bad english
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 mehrzad over 13 years ago

Dear all
hi,
I have a problem with Intrusion Prevention and now I'm so concern. We have many attacks over day and till today we thought that the attacks are dropped. But today, after enabling notification for just an hour, we received many emails like this:

******************
Intrusion Prevention Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: POP3 login brute force attempt
Details........: Snort ::
Time...........: 2012:01:25-08:38:44
Packet dropped.: no
Priority.......: medium
Classification.: An attempted login using a suspicious username was detected
IP protocol....: 6 (TCP)
**********************
This notification says that the packet has not been dropped ! But i checked it in webadmin and all rules action were "drop".
we use asg 525 and our software is update.
any idea?
sorry for my bad english
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data