This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.000] IPS blocks many Websites !

xenon2008 over 13 years ago

Hello,

Since i have upgraded my ASG to v9.000-8 many Websites does not load or load only very slowly and not correctly!

I have only IPS eneabled! No Proxy or Application Control...

In the IPS log is always one event shown like this:
2012:07:22-17:42:49 ***XX-1 snort[5377]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CLIENT Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt" group="320" srcip="2.21.97.107" dstip="192.1XX.***.***" proto="6" srcport="80" dstport="4086" sid="11257" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

for example this websites:
Golem.de: IT-News für Profis
feature.astaro.com

and many other websites ...

what ist "WEB-CLIENT Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt" ? i dont want to disable the complete rule ....

please help me [:(]

best regards
xenon

This thread was automatically locked due to age.

Parents

0 Darkwarlord over 13 years ago

So no one else is having issues with any other rules?  Since my last post I have had issues with these rules as well:

16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
17042 WEB-CLIENT Microsoft LNK shortcut download attempt

Granted those were dealing with one specific website and a Linux ISO I was trying to download.  However, I had to disable 20278 to load some websites (such as eBay mentioned above).

Just want to make sure something isn't configured incorrectly on my side.  Although nothing has changed between v8 and v9.  Did the install and a restore of my backup.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Darkwarlord over 13 years ago

So no one else is having issues with any other rules?  Since my last post I have had issues with these rules as well:

16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
17042 WEB-CLIENT Microsoft LNK shortcut download attempt

Granted those were dealing with one specific website and a Linux ISO I was trying to download.  However, I had to disable 20278 to load some websites (such as eBay mentioned above).

Just want to make sure something isn't configured incorrectly on my side.  Although nothing has changed between v8 and v9.  Did the install and a restore of my backup.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 xenon2008 over 13 years ago in reply to Darkwarlord

Hello,

I have the same failure with this adobe png empty sPLT.

16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
17042 WEB-CLIENT Microsoft LNK shortcut download attempt

A temporarly soloution is to disable both rules!
Then web surfing and downloading works great [;)]

I hope sophos will fix that..

Best regards
Xenon

Sent from my iPhone using Astaro.org

Edit:

Please also see here! Same id with in my first post here but with an empty entry in the overview!

http://www.astaro.org/astaro-gateway-products/network-protection-firewall-nat-qos-ips/43868-bug-utm-9-000-empty-entry-ips-overview.html

Xenon
Cancel
Vote Up 0 Vote Down

Cancel