Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 2 subscribers
  • Views 7194 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS problem - it works (?), but not blocking attacks

toniemy
Hello.

I'm using ASG220 for a few days. It works to protect only two www servers. I placed servers in DMZ, on ASG220 I have configured interfaces, NAT, and IPS. 

If I try test IPS by:

curl -v -s 'my-domain.com/rss.php

I can see it at Logging & Reporting -> Network Security -> Daily -> Intrusion Prevention statistics (drop events on graph).
There is information about attack at Logging & Reporting -> Network Security -> IPS (my IP, packets, dest. hosts, etc. too.

Unfortunately every time I can see in my www server's varnishncsa.log:

my-domain.com xx.attacker's-ip-xx.xx - - [01/Aug/2012:20:27:34 +0200] "GET /rss.php?pathToFiles=https HTTP/1.1" 200 130458 "-" "curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6" hit


Why? IPS seems to be working but not blocking attack. Why can I see it in my www server's logs?!
Can You help me?
Thank You in advance.


Radoslaw Lidak


This thread was automatically locked due to age.
Parents
  • 0
    The rule seems not to be in in 8.305, but I found what appears to be the same rule with a different description (the rule looks like it'd match the test URL) in 9.001:

    loginuser@homefw:/var/sec/chroot-snort-2922-03/etc/snort/rules > grep 18479 *
    astaro.rules[:D]rop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"D WEB-PHP miniBB rss.php pathToFiles remote file include attempt"; flow:to_server,established; content:"rss.php"; nocase; http_uri; content:"pathToFiles="; nocase; http_uri; pcre:"/pathToFiles=(ftp|https?)/Ui"; metadata[:P]olicy security-ips drop, service http; classtype:web-application-attack; sid:21718479[;)]


    I'm not sure what the significance of the '217' in the SID is.

    Barry
Reply
  • 0
    The rule seems not to be in in 8.305, but I found what appears to be the same rule with a different description (the rule looks like it'd match the test URL) in 9.001:

    loginuser@homefw:/var/sec/chroot-snort-2922-03/etc/snort/rules > grep 18479 *
    astaro.rules[:D]rop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"D WEB-PHP miniBB rss.php pathToFiles remote file include attempt"; flow:to_server,established; content:"rss.php"; nocase; http_uri; content:"pathToFiles="; nocase; http_uri; pcre:"/pathToFiles=(ftp|https?)/Ui"; metadata[:P]olicy security-ips drop, service http; classtype:web-application-attack; sid:21718479[;)]


    I'm not sure what the significance of the '217' in the SID is.

    Barry
Children
No Data