Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 3733 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False positive IPS snort sid 40986 - UTM 9.410-6

DavidBurakoff

After upgrading to 9.410-6, we've encountered a few problems.  One of which is the inability to view spec sheets from one of our vendors.  Snort is dropping the connection with a

SID of 40986.

 

Passed the URL in question to several scanning sites and they come back negative (Including checks against Snort VRT).

It's definitely the UTM filtering the webpage (Tested out side of company and inside, in front of UTM).

URL in question: http://www.tnb.ca/en/web-catalogue/?co=CA&lang=en&a=search&Ntk=p_comp_catalog_no&match_mode=exact&Ntt=5262

 

Error: 2017:02:23-11:18:34 athens snort[4938]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer title integer overflow attempt" group="320" srcip="206.208.208.160" dstip="xxx.xx.xx.xxx" proto="6" srcport="80" dstport="1713" sid="40986" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

 

 

Tks....



This thread was automatically locked due to age.
  • 0

    Add an IPS exception for that site.

     

    ^http?://www\.tnb\.ca

  • 0 in reply to darrellr

    Ok.  Fair enough.  Where does one enter an exception in that form?

    Would that be in: Network Protection > Intrusion Protection ( Exceptions or Advanced)?

     

    The advanced tab seems to allow the disabling of specific rules (SID?)

    The exception tab has several option (which I'm assuming must be chosen in the correct order to use the expression you've stated).

     

    For the exception, I would choose "Skip Check for: Intrusion  Prevention", "For all requests: Coming from these source networks", ....

    and then I'm lost.  It seems as if this area is looking for host IP's & such

  • 0 in reply to DavidBurakoff

    I will look when I get home, but I think you can create a dns host for that website and use that as the coming from these networks.  Teach me for trying to do it from memory :).

  • +1 in reply to DavidBurakoff

    If it resolved to only one IP, you can set up a dns host.  I typically set up a dns group network definition just in case it resolves to multiple IPs.  Then under IPS exceptions you add that as the coming from these networks.  Alternatively, you can disable that one rule using modify rules under advanced.  It is a little more involved and may not be what you want. Your choices seem to be disable ALL IPS functions to that site, or disable that one rule for ALL SITES.  I am not aware of a way to disable one rule on one site, though others may know.

    I cannot seem to get my UTM to trip on that site, though. I set up to use no limit on rule age and made sure they were all enabled in group 320.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML