Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 2 subscribers
  • Views 7204 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS problem - it works (?), but not blocking attacks

toniemy
Hello.

I'm using ASG220 for a few days. It works to protect only two www servers. I placed servers in DMZ, on ASG220 I have configured interfaces, NAT, and IPS. 

If I try test IPS by:

curl -v -s 'my-domain.com/rss.php

I can see it at Logging & Reporting -> Network Security -> Daily -> Intrusion Prevention statistics (drop events on graph).
There is information about attack at Logging & Reporting -> Network Security -> IPS (my IP, packets, dest. hosts, etc. too.

Unfortunately every time I can see in my www server's varnishncsa.log:

my-domain.com xx.attacker's-ip-xx.xx - - [01/Aug/2012:20:27:34 +0200] "GET /rss.php?pathToFiles=https HTTP/1.1" 200 130458 "-" "curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6" hit


Why? IPS seems to be working but not blocking attack. Why can I see it in my www server's logs?!
Can You help me?
Thank You in advance.


Radoslaw Lidak


This thread was automatically locked due to age.
  • 0 in reply to BarryG
    OK, well as far as I can tell, that snort rule isn't present in 8.305, so perhaps you should try a different test.

    Barry


    Thanks.
    Could You recommend any "working" tests?

    Radek
  • 0
    Hi,

    http://my-domain.com/cmd32.exe

    triggers for me with

    2012:08:06-15:01:35 fw snort[7072]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-IIS cmd32.exe access" group="213" srcip="x.x.x.x" dstip="x.x.x.x" proto="6" srcport="2435" dstport="80" sid="1661" class="Web Application Attack" priority="1"  generator="1" msgid="0"


    This assumes you have the Microsoft IIS rule group enabled.

    Barry
  • 0 in reply to BarryG
    Hi,

    http://my-domain.com/cmd32.exe

    triggers for me with 

    2012:08:06-15:01:35 fw snort[7072]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-IIS cmd32.exe access" group="213" srcip="10.40.8.35" dstip="x.x.x.x" proto="6" srcport="2435" dstport="80" sid="1661" class="Web Application Attack" priority="1"  generator="1" msgid="0"


    This assumes you have the Microsoft IIS rule group enabled.

    Barry


    I have only Linux servers but I will test it, thanks!

    Radek