Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 3735 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False positive IPS snort sid 40986 - UTM 9.410-6

DavidBurakoff

After upgrading to 9.410-6, we've encountered a few problems.  One of which is the inability to view spec sheets from one of our vendors.  Snort is dropping the connection with a

SID of 40986.

 

Passed the URL in question to several scanning sites and they come back negative (Including checks against Snort VRT).

It's definitely the UTM filtering the webpage (Tested out side of company and inside, in front of UTM).

URL in question: http://www.tnb.ca/en/web-catalogue/?co=CA&lang=en&a=search&Ntk=p_comp_catalog_no&match_mode=exact&Ntt=5262

 

Error: 2017:02:23-11:18:34 athens snort[4938]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Internet Explorer title integer overflow attempt" group="320" srcip="206.208.208.160" dstip="xxx.xx.xx.xxx" proto="6" srcport="80" dstport="1713" sid="40986" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

 

 

Tks....



This thread was automatically locked due to age.
Parents
  • 0

    Add an IPS exception for that site.

     

    ^http?://www\.tnb\.ca

  • 0 in reply to darrellr

    Ok.  Fair enough.  Where does one enter an exception in that form?

    Would that be in: Network Protection > Intrusion Protection ( Exceptions or Advanced)?

     

    The advanced tab seems to allow the disabling of specific rules (SID?)

    The exception tab has several option (which I'm assuming must be chosen in the correct order to use the expression you've stated).

     

    For the exception, I would choose "Skip Check for: Intrusion  Prevention", "For all requests: Coming from these source networks", ....

    and then I'm lost.  It seems as if this area is looking for host IP's & such

  • 0 in reply to DavidBurakoff

    I will look when I get home, but I think you can create a dns host for that website and use that as the coming from these networks.  Teach me for trying to do it from memory :).

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML