Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 9673 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS blocks - False Positive

xenon2008
Hello together!

IPS blocks many services like steam etc..
In the Logfile i always find this two Rules..


2013:10:01-21:58:09 ******X-1 snort[8259]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="FILE-OTHER Multiple products ZIP archive virus detection bypass attempt" group="500" srcip="23.0.174.48" dstip="192.***.***.***" proto="6" srcport="80" dstport="58919" sid="26926" class="Potentially Bad Traffic" priority="2" generator="1" msgid="0"

2013:10:01-21:58:23 ******X-1 snort[8259]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER Multiple products ZIP archive virus detection bypass attempt" group="500" srcip="23.0.174.48" dstip="192.***.***.***" proto="6" srcport="80" dstport="58919" sid="26989" class="Potentially Bad Traffic" priority="2" generator="1" msgid="0" 
 
 


If i disable this two Rules everything works fine! But what are this two rules?
And why must I  constantly exclude any rules?


This thread was automatically locked due to age.
  • 0
    Hi,
    IPS rules sometimes have false positives.

    googling for those SIDs finds:
    Snort ::
    Snort ::

    If you're not using ancient versions of McAfee, they're safe to disable.

    Barry
  • 0
    SID 12632 gets false-positives when downloading some MP3 podcasts:

    2013:10:25-20:21:13 fw snort[8636]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows 2000 Kodak Imaging large offset malformed jpeg tables" group="110" srcip="93.184.215.163" dstip="192.168.1.13" proto="6" srcport="80" dstport="62912" sid="12632" class="Attempted User Privilege Gain" priority="1"  generator="1" msgid="0"


    Snort ::
    Shows that this vulnerability hasn't existed since WinXP SP2.

    Another example of old rules that should be disabled, imo.
    Increase Attack Patterns selections in IPS settings

    Barry
Unfiltered HTML