Thread Info
  • Locked Locked
  • Replies 0 replies
  • Subscribers 2 subscribers
  • Views 1497 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FYI - IPS false positive

Jeff x

I use Sophos UTM 9.708-6 (software version) as my gateway device. Behind it, I host CentOS Web Panel (http://centos-webpanel.com/). A Snort rule is being triggered when I try to update CWP.

The rule: 21420 (www.snort.org/.../1-21420)

 IPS log snippet:

2021:12:17-09:43:17 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="151.80.90.199" dstip="192.168.0.110" proto="6" srcport="80" dstport="46488" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-09:44:41 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="198.27.104.40" dstip="192.168.0.110" proto="6" srcport="80" dstport="49798" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-09:44:41 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="198.27.104.40" dstip="192.168.0.110" proto="6" srcport="80" dstport="49798" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-09:45:21 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="137.74.148.116" dstip="192.168.0.110" proto="6" srcport="80" dstport="52826" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

I tried adding an IPS exception but it did not help. Based on the log file above, can someone provide a sample IPS exception that should work?

What did work was disabling that rule and rebooting the Sophos UTM. Simply reloading the Snort rules was not sufficient ¯\_(ツ)_/¯



This thread was automatically locked due to age.
Unfiltered HTML