Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 2 subscribers
  • Views 27196 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.000] IPS blocks many Websites !

xenon2008
Hello,

Since i have upgraded my ASG to v9.000-8 many Websites does not load or load only very slowly and not correctly!

I have only IPS eneabled! No Proxy or Application Control...

In the IPS log is always one event shown like this:
2012:07:22-17:42:49 ***XX-1 snort[5377]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CLIENT Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt" group="320" srcip="2.21.97.107" dstip="192.1XX.***.***" proto="6" srcport="80" dstport="4086" sid="11257" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

for example this websites:
Golem.de: IT-News für Profis
feature.astaro.com

and many other websites ...

what ist "WEB-CLIENT Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt" ? i dont want to disable the complete rule ....

please help me [:(]

best regards
xenon


This thread was automatically locked due to age.
Parents
  • 0
    The snort rule has been around for at least a couple of years, but I'm not sure how long it's been in Astaro.

    Here's a copy of the snort rule (from 2009-12), fwiw:
    web-client.rules:
    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer colgroup tag uninitialized memory corruption vulnerability"; flow:to_client,established; content:"]*id\s*=\s*(?P\x22|\x27|)(?P\w+)(?P=q1)[^>]*>.*\s+(?P=q2)\.delete/smi"; metadata[:P]olicy security-ips drop; reference:bugtraq,23771; reference:cve,2007-0944; reference:url,www.microsoft.com/technet/security/bulletin/ms07-027.mspx; classtype:attempted-user; sid:11257; rev:2[;)]


    Barry
Reply
  • 0
    The snort rule has been around for at least a couple of years, but I'm not sure how long it's been in Astaro.

    Here's a copy of the snort rule (from 2009-12), fwiw:
    web-client.rules:
    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer colgroup tag uninitialized memory corruption vulnerability"; flow:to_client,established; content:"]*id\s*=\s*(?P\x22|\x27|)(?P\w+)(?P=q1)[^>]*>.*\s+(?P=q2)\.delete/smi"; metadata[:P]olicy security-ips drop; reference:bugtraq,23771; reference:cve,2007-0944; reference:url,www.microsoft.com/technet/security/bulletin/ms07-027.mspx; classtype:attempted-user; sid:11257; rev:2[;)]


    Barry
Children
No Data