Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 2 subscribers
  • Views 51031 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.103] IPS blocks again Websites!

xenon2008
Hello BB,

Since version 9.103 IPS blocks again many Websites! 
For example:mcseboard.de; golem.de..

This pages cant be displayed... It will load and load and load.... Until i click the cancel button in my browser!

In the IPS Log i always found this error:

INDICATOR-OBFUSCATION Javascript indexOf rename attempt


What is this? I don't want exclude everything from IPS... [8-)]

Any ideas?


This thread was automatically locked due to age.
  • 0
    Hi Xenon,

    Are all of the blocks the same? What sid is indicated in the log?

    Cheers - Bob

    Sorry for any short responses.  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi Balfson,

    Yes all Blocks the same. 
    The SID in the log is "26616"
  • 0
    it sounds like you may have an infection on your network IMO.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    Hi William,

    I can't imagine, because this is on all my Clients. PCs, Servers,Notebooks, iPhone, ...
    And only when I opening a website! 
    Than i have this in the log:
    2013:07:06-21:33:13 ******X-1 snort[6432]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-OBFUSCATION Javascript indexOf rename attempt" group="320" srcip="141.0.19.125" dstip="LOCAL IP" proto="6" srcport="80" dstport="63411" sid="26616" class="Misc activity" priority="3" generator="1" msgid="0"


    edit:
    you can try it by opening www.mcseboard.de as example
    are there any blocks in your ips log?
  • 0
    Hi William,

    I can't imagine, because this is on all my Clients. PCs, Servers,Notebooks, iPhone, ...
    And only when I opening a website!
    Than i have this in the log:

    edit:
    you can try it by opening www.mcseboard.de as example
    are there any blocks in your ips log?


    Is it only this site?  Then I would alert the webmaster of that site.

    Sent from my Galaxy Nexus using Astaro.org

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    No the problem happens with more sites.
    This is only an example.

    Sorry for any short responses! Sent from my iPhone using Astaro.org
  • 0
    No the problem happens with more sites.
    This is only an example.

    Sorry for any short responses! Sent from my iPhone using Astaro.org


    Is it only German sites could you try www.etc-md.com

    Sent from my Galaxy Nexus using Astaro.org

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    Why not disable IPS rule 26616?

    Cheers - Bob

    Sorry for any short responses.  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    i'm not willing to assume it is a false positive without further troubleshooting

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    frankly the first reaction to disable whatever is causing issues without troubleshooting has become a disturbing trend..not just here but around the industry IMO.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Unfiltered HTML