Hi All, We are seeing a possible false-positive IPS detection with downloads from the Microsoft Partner portal;
in short, the downloads starts normally then stalls at a around 1MB downloaded, it then then hangs and usually fails, interestingly hitting retry can result in the download running through as it should without further error.
When the download starts the following log entry can be seen in the IPS log on the UTM:
2019:02:14-16:46:26 aumelgw01-1 snort[23264]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Total Meltdown side-channel information leak attempt" group="500" srcip="60.254.148.80" dstip="my.WAN.ip.address" proto="6" srcport="80" dstport="41205" sid="46429" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
When I disable IPS the downloads work normally, So I tried creating an exception for IPS for the IP's involved (for me this currently seems to alternate between 60.254.148.80 and 60.254.148.81) and appear to be Akamai hosted)
as below:
| Skipping: | Intrusion Protection / Anti-Portscan / Anti-DoS/Flooding TCP / Anti-DoS/Flooding UDP / Anti-DoS/Flooding ICMP |
| coming from these source networks: |
|
| or going to these networks: |
|
I know this likely isn't the best way, but in any case the exception does not work and the download behavior + log entries confirming the IPS drop-action remain until I turn IPS off entirely.
We are currently running Firmware version: 9.510-5 and Pattern version: 157795 but the problem has been there before the latest updates
I'll do some further testing with other download from the site and add here but in the meantime if anyone would kinly point me in the right direction It'd be greatly appreciated.
Kind Regards,
David
This thread was automatically locked due to age.
