Juergen Bruckner
2013-09-09 12:20:21 UTC
Ich schreibe absichtlich sowohl an die support-List als auch an die de-List.
Hallo Leute!
Kann sich da jemand von euch einen Reim drauf machen?
FÃŒr mich sehen die Meldungen sehr stark nach false positive aus.
-------- Original-Nachricht --------
Betreff: [astaro.vlan2.####.net][WARN-852] Intrusion Prevention Alert
(Packet dropped)
Datum: Mon, 9 Sep 2013 09:32:41 +0200
Von: Firewall Notification System <do-not-reply-***@public.gmane.org>
An: <anonymus>
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: FILE-OTHER Multiple products ZIP archive virus
detection bypass attempt
Details........: http://www.snort.org/search/sid/26989?r=1
Time...........: 2013-09-09 09:32:41
Packet dropped.: yes
Priority.......: medium
Classification.: Potentially Bad Traffic
IP protocol....: 6 (TCP)
Source IP address: 213.154.225.238 (oophaga-11.colo.bit.nl)
- http://www.dnsstuff.com/tools/ptr.ch?ip=213.154.225.238
- http://www.ripe.net/perl/whois?query=213.154.225.238
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=213.154.225.238
- http://cgi.apnic.net/apnic-bin/whois.pl?search=213.154.225.238
Source port: 80 (http)
Destination IP address: 91.118.##.## (###.####.net)
- http://www.dnsstuff.com/tools/ptr.ch?ip=91.118.##.##
- http://www.ripe.net/perl/whois?query=91.118.##.##
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=91.118.##.##
- http://cgi.apnic.net/apnic-bin/whois.pl?search=91.118.##.##
Destination port: 37855
-- System Uptime : 18 days 10 hours 28 minutes System Load : 0.17 System
Version : Sophos UTM 9.105-9 Please refer to the manual for detailed
instructions.
###
-------- Original-Nachricht --------
Betreff: [astaro.vlan2.####.net][CRIT-852] Intrusion Prevention Alert
(Packet dropped)
Datum: Mon, 9 Sep 2013 09:43:54 +0200
Von: Firewall Notification System <do-not-reply-***@public.gmane.org>
An: <anonymous>
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: FILE-PDF Foxit Reader title overflow attempt
Details........: http://www.snort.org/search/sid/20445?r=1
Time...........: 2013-09-09 09:43:54
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)
Source IP address: 213.154.225.238 (oophaga-11.colo.bit.nl)
- http://www.dnsstuff.com/tools/ptr.ch?ip=213.154.225.238
- http://www.ripe.net/perl/whois?query=213.154.225.238
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=213.154.225.238
- http://cgi.apnic.net/apnic-bin/whois.pl?search=213.154.225.238
Source port: 80 (http)
Destination IP address: 91.118.##.## (###.####.net)
- http://www.dnsstuff.com/tools/ptr.ch?ip=91.118.##.##
- http://www.ripe.net/perl/whois?query=91.118.##.##
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=91.118.##.##
- http://cgi.apnic.net/apnic-bin/whois.pl?search=91.118.##.##
Destination port: 33667
-- System Uptime : 18 days 10 hours 40 minutes System Load : 0.14 System
Version : Sophos UTM 9.105-9 Please refer to the manual for detailed
instructions.
lg
JÃŒrgen
Hallo Leute!
Kann sich da jemand von euch einen Reim drauf machen?
FÃŒr mich sehen die Meldungen sehr stark nach false positive aus.
-------- Original-Nachricht --------
Betreff: [astaro.vlan2.####.net][WARN-852] Intrusion Prevention Alert
(Packet dropped)
Datum: Mon, 9 Sep 2013 09:32:41 +0200
Von: Firewall Notification System <do-not-reply-***@public.gmane.org>
An: <anonymus>
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: FILE-OTHER Multiple products ZIP archive virus
detection bypass attempt
Details........: http://www.snort.org/search/sid/26989?r=1
Time...........: 2013-09-09 09:32:41
Packet dropped.: yes
Priority.......: medium
Classification.: Potentially Bad Traffic
IP protocol....: 6 (TCP)
Source IP address: 213.154.225.238 (oophaga-11.colo.bit.nl)
- http://www.dnsstuff.com/tools/ptr.ch?ip=213.154.225.238
- http://www.ripe.net/perl/whois?query=213.154.225.238
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=213.154.225.238
- http://cgi.apnic.net/apnic-bin/whois.pl?search=213.154.225.238
Source port: 80 (http)
Destination IP address: 91.118.##.## (###.####.net)
- http://www.dnsstuff.com/tools/ptr.ch?ip=91.118.##.##
- http://www.ripe.net/perl/whois?query=91.118.##.##
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=91.118.##.##
- http://cgi.apnic.net/apnic-bin/whois.pl?search=91.118.##.##
Destination port: 37855
-- System Uptime : 18 days 10 hours 28 minutes System Load : 0.17 System
Version : Sophos UTM 9.105-9 Please refer to the manual for detailed
instructions.
###
-------- Original-Nachricht --------
Betreff: [astaro.vlan2.####.net][CRIT-852] Intrusion Prevention Alert
(Packet dropped)
Datum: Mon, 9 Sep 2013 09:43:54 +0200
Von: Firewall Notification System <do-not-reply-***@public.gmane.org>
An: <anonymous>
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: FILE-PDF Foxit Reader title overflow attempt
Details........: http://www.snort.org/search/sid/20445?r=1
Time...........: 2013-09-09 09:43:54
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)
Source IP address: 213.154.225.238 (oophaga-11.colo.bit.nl)
- http://www.dnsstuff.com/tools/ptr.ch?ip=213.154.225.238
- http://www.ripe.net/perl/whois?query=213.154.225.238
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=213.154.225.238
- http://cgi.apnic.net/apnic-bin/whois.pl?search=213.154.225.238
Source port: 80 (http)
Destination IP address: 91.118.##.## (###.####.net)
- http://www.dnsstuff.com/tools/ptr.ch?ip=91.118.##.##
- http://www.ripe.net/perl/whois?query=91.118.##.##
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=91.118.##.##
- http://cgi.apnic.net/apnic-bin/whois.pl?search=91.118.##.##
Destination port: 33667
-- System Uptime : 18 days 10 hours 40 minutes System Load : 0.14 System
Version : Sophos UTM 9.105-9 Please refer to the manual for detailed
instructions.
lg
JÃŒrgen