This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention Alert

Hi,

I receive multiple message like this and Im worrying:

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt
Details........: Snort ::
Time...........: 2013-02-21 17:48:01
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)

Source IP address: 217.212.239.25 (217-212-239-25.customer.teliacarrier.com)
- Professional Toolset | DNSstuff
- Database Query
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=217.212.239.25
- APNIC - Query the APNIC Whois Database
Source port: 80 (http)
Destination IP address: x.x.x.x
- Professional Toolset | DNSstuff
- Database Query
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=x.x.x.x
- APNIC - Query the APNIC Whois Database
Destination port: 49357

Someone can said me what happens? It's an attack?
I don't know if is relationed with WSUS.

Thank you so much!

This thread was automatically locked due to age.

Parents

0 BarryG over 12 years ago

Could be a false positive.

Where you trying to download or stream something from that site?

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 Bl0ckS1z3 over 12 years ago in reply to BarryG

I have the same issue.
In my case it is comming from WSUS when it tries to download an update from

[HTML]wsus.ds.download.windowsupdate.com. [/HTML]

I could find this using a paket sniffer on the server.

Here is the request in the paket. If the server is executing this request the intrusion prevention allert ist released.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

GET /msdownload/update/software/uprl/2013/01/crm2011-mui-kb2795627-v2-glc-amd64_073023e115bf5f1bc8f376b9c6297f440ccb4f7e.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=26598059-26918877
User-Agent: Microsoft BITS/6.6
Host: wsus.ds.download.windowsupdate.com
Connection: Keep-Alive

HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Last-Modified: Thu, 17 Jan 2013 03:00:01 GMT
Accept-Ranges: bytes
ETag: "80ceadbd5ef4cd1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 22 Feb 2013 07:37:56 GMT
Content-Range: bytes 26598059-26918877/29438392
Content-Length: 320819
Connection: keep-alive
X-CCC: DE
X-CID: 2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I added an exception in the intrusion prevention for that host. Will see now if it is working.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Bl0ckS1z3 over 12 years ago in reply to BarryG

I have the same issue.
In my case it is comming from WSUS when it tries to download an update from

[HTML]wsus.ds.download.windowsupdate.com. [/HTML]

I could find this using a paket sniffer on the server.

Here is the request in the paket. If the server is executing this request the intrusion prevention allert ist released.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

GET /msdownload/update/software/uprl/2013/01/crm2011-mui-kb2795627-v2-glc-amd64_073023e115bf5f1bc8f376b9c6297f440ccb4f7e.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=26598059-26918877
User-Agent: Microsoft BITS/6.6
Host: wsus.ds.download.windowsupdate.com
Connection: Keep-Alive

HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Last-Modified: Thu, 17 Jan 2013 03:00:01 GMT
Accept-Ranges: bytes
ETag: "80ceadbd5ef4cd1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 22 Feb 2013 07:37:56 GMT
Content-Range: bytes 26598059-26918877/29438392
Content-Length: 320819
Connection: keep-alive
X-CCC: DE
X-CID: 2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I added an exception in the intrusion prevention for that host. Will see now if it is working.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data