I have an issue on my Sophos UTM Home where various GM sites won't load with IPS on.
For example:
www.chevrolet.com
www.cadillac.com
www.buick.com
they sit and spin, and never load. Turn off IPS, and they load fine. Turn IPS back ON -- and if they've already been loaded, they will load fine for a while (not sure how long). Browser doesn't matter, (chrome or IE). End user computer doesn't matter either...
The SRCIP listed below changes based on the website requested.
In the live log, this is what I see when trying to load the page (once for each request):
2015:02:01-09:21:34 jevpn snort[18918]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt" group="320" srcip="23.65.17.175" dstip="192.168.1.105" proto="6" srcport="80" dstport="57111" sid="19873" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2015:02:01-09:22:52 jevpn snort[18918]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt" group="320" srcip="23.65.21.241" dstip="192.168.1.105" proto="6" srcport="80" dstport="57325" sid="19873" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
Anyone else have the issue? Seems likes a false positive, and would like to be able to load the sites without issue. It's been going on through various updates and patches, its not a new issue. I'm on the most recent release. What would be the best to get this correct, without having to create exceptions for various IPs.
Thanks for the help!
This thread was automatically locked due to age.
