Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 2 subscribers
  • Views 5530 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible faulty IPS/Snort update on 09 FEB about 12:34 UTC

BAlfson
I see in the German Forum that my customers weren't the only ones that experienced new false positives after this.

Did anyone else experience this?  The customers I had to help were on 7.510 or 7.511.

SID 12798 "SHELLCODE base64 x86 NOOP" (reported in the German Forum)
SID 15935 DNS responses from internal sources to internal sources
SID 17750 "DOS Microsoft IIS 7.5 client verify null pointer attempt"

And a bunch of SIDs concerning responses from web servers
4136, 5910, 6690, 6692, 6699, 6701, 11263, 12633, 12798, 16222, 16663 and 17543

Anyone else?  Are these new rules or newly turned-on rules because of a new threat or???

Cheers - Bob


This thread was automatically locked due to age.
  • 0 in reply to krbc
    We too, have been affected by the bad rules.   Apparently they released an update for version 8, that accidentally got applied to version 7.

    I just got off the phone with support, supposed a pattern update ending in 237 was released this morning.


    As I mentioned earlier, the issue was not limited to 7.5xx systems... the two systems I had with the issue were both 8.103 systems.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    why no testing done with 7511 ?

    after update today seems resolved

    We have not upgraded to 8 as no easy method to upgrade vmware version

    Colin and Eric in UK
  • 0 in reply to colinjmx5
    AGAIN:  The problems manifested itself in 8.103 and 7.5xx systems... so the problem was not restricted to 7.x platforms.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Hi All,

    Same issue here. 

    This knocked out DNS accross my entire WAN (8 RED10 sites) IPS was blocking DNS lookups from RED10 clients to internal DNS servers... disabling DNS rules in IPS fixed. v8.103

    It was a very bad morning.

    Mattrus

    UPDATE: I just re-enabled the rules and DNS traffic is now passing IPS fine... still though.
Unfiltered HTML