Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 9331 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention system not blocking thousands of buffer overflow attempts after streaming Netflix.

alan weir

I checked all of the "add extra warnings" in the intrusion prevention system, and while watching Netflix I received almost 50 email alerts about an intrusion detection while watching Netflix. The intrusion prevention policy is set to "drop silently" and all warnings are set to Drop.

Intrusion Prevention Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt
Details........: https://www.snort.org/search?query=44455
Time...........: 2017-10-27 19:57:05
Packet dropped.: no
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)

 

Source IP address: 23.246.36.173 (ipv4_1.lagg0.c087.ord003.ix.nflxvideo.net)
Source port: 80 (http)
Destination IP address: 192.168.2.110
Destination port: 55121

 

After reading the knowledge base article about configuring the IPS, it seems that alerts stemming from the "add extra warnings" option can't be dropped. Extra warnings will use additional rules increasing the IPS detection rate. The additional rules will create alerts and can’t be changed to drop. Extra warnings can be enabled/disabled with the specific checkbox.

Seems like the extra warnings is simply intrusion detection and not intrusion prevention.



This thread was automatically locked due to age.
Parents
  • 0

    Yes, these are warnings only.  I would only enable them selectively and temporarily if you suspect that you have a problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I am still getting hundreds of these intrusions destined to any device that I use to watch Netflix on.

     

    First I was getting "FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt" to my Vizio telvision during, and for days after watching netflix.

    Now these intrusions are targeting my Sanyo Bluray player, which I used to watch Netflix last night.

    I now have several thousand email alerts about this buffer overflow. If this is a genuine attack it should be blocked because that's what an intrusion prevention system should be doing.

     

    Now, how do stop these attacks? The host is nflxvideo.net

     

    Message........: FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt
    Details........: https://www.snort.org/search?query=44455
    Time...........: 2017-11-18 22:39:36
    Packet dropped.: no
    Priority.......: high
    Classification.: Attempted User Privilege Gain
    IP protocol....: 6 (TCP)

    Source IP address: 23.246.36.163 (ipv4_1.lagg0.c064.ord003.ix.nflxvideo.net)
    Source port: 80 (http)
    Destination IP address: 192.168.2.111
    Destination port: 51824

  • 0 in reply to alan weir

    Alan, like Alex said, these are almost certainly false positives.  Disable all of the extra warnings and tell us what you then see.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Ok, then I'll disable the extra warnings. The problem is that the alert says

     

    If you want to block packets like this one in the future,
    set the corresponding intrusion protection rule to "drop" in WebAdmin.

     

    The issue is that these packets apparently cannot be dropped even when the IPS is set to drop, therefore the alert given is incorrect.

Reply
  • 0 in reply to BAlfson

    Ok, then I'll disable the extra warnings. The problem is that the alert says

     

    If you want to block packets like this one in the future,
    set the corresponding intrusion protection rule to "drop" in WebAdmin.

     

    The issue is that these packets apparently cannot be dropped even when the IPS is set to drop, therefore the alert given is incorrect.

Children
No Data
Unfiltered HTML