Hello,
today I noticed 6000 attacks dropped in webadmin dashboard.
In log file I see a lot of entries, all caming from the same ip/destination:
2014:12:11-10:44:34 *** snort[22194]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="(ftp_telnet) FTP command parameters were too long" group="410" srcip="192.***.***.***" dstip="***.***.***.***" proto="6" srcport="49705" dstport="21" sid="3" class="Attempted Administrator Privilege Gain" priority="1" generator="125" msgid="1"
Now... the strange things I see are:
1) action is "alert", so why dashboard says attacks blocked?
2) ips is active for other interfaces, not for the one listed as srcip, so why attacks are detected?
3) in any case, I have a rule that bypass ips for "internet" destination (such in this case)
4) FTP attack pattern is unactive (...or this rule is classified as "protocol anomaly?)
5) the users really experiences ftp issues
Can anyone help me in finding an explanation?
thanks
eclipse79
This thread was automatically locked due to age.