+ Post New Thread
Results 1 to 7 of 7
EduGeek.net Site Problems Thread, Sophos UTM - IPS Alerts when visiting EduGeek in EduGeek Stuff; LAst few times I've visited EduGeek @ Home, Sophos UTM 9 sends me a half dozen IPS Alerts similiar to ...
  1. #1

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,678
    Thank Post
    861
    Thanked 650 Times in 431 Posts
    Rep Power
    499

    Sophos UTM - IPS Alerts when visiting EduGeek

    LAst few times I've visited EduGeek @ Home, Sophos UTM 9 sends me a half dozen IPS Alerts similiar to this...

    Intrusion Prevention Alert

    An intrusion has been detected. The packet has been dropped automatically.
    You can toggle this rule between "drop" and "alert only" in WebAdmin.

    Details about the intrusion alert:

    Message........: MALWARE-OTHER HTTP POST request to a JPG file
    Details........: Snort ::
    Time...........: 2013-05-18 14:11:18
    Packet dropped.: yes
    Priority.......: medium
    Classification.: Detection of a non-standard protocol or event IP protocol....: 6 (TCP)

    Source IP address: 192.168.0.4 (proxy)
    - Professional Toolset | DNSstuff
    - Database Query
    - http://ws.arin.net/cgi-bin/whois.pl?...ut=192.168.0.4
    - APNIC - Query the APNIC Whois Database
    Source port: 49989
    Destination IP address: 78.47.226.90 (www.edugeek.net)
    - Professional Toolset | DNSstuff
    - Database Query
    - http://ws.arin.net/cgi-bin/whois.pl?...t=78.47.226.90
    - APNIC - Query the APNIC Whois Database
    Destination port: 80 (http)

    --
    System Uptime : 4 days 6 hours 21 minutes
    System Load : 0.39
    System Version : Sophos UTM 9.100-16

    Please refer to the manual for detailed instructions.
    It seems to not be liking something coming back on TCP Port 6


  2. #2

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,748
    Thank Post
    918
    Thanked 1,335 Times in 815 Posts
    Blog Entries
    1
    Rep Power
    447
    Hmmm not sure as we dont host anything on port 6 (its firewalled as well)

  3. Thanks to ZeroHour from:

    Gatt (21st May 2013)

  4. #3


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    It looks more likely that it's the "Post request to a jpg" (which seems reasonably kosher to me) rule that's causing the issue - I suspect you will find some missing images in edugeek - almost certainly a dynamically generated one. I suggest you disable the rule, it seems a bit OTT

  5. Thanks to tom_newton from:

    Gatt (21st May 2013)

  6. #4

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,177
    Thank Post
    217
    Thanked 1,291 Times in 801 Posts
    Blog Entries
    4
    Rep Power
    512
    Capture.JPG

    Good Guy Tom
    Attached Images Attached Images
    Last edited by Domino; 21st May 2013 at 05:33 PM.

  7. 3 Thanks to Domino:

    Gatt (21st May 2013), john (22nd May 2013), tom_newton (21st May 2013)

  8. #5


    Join Date
    Aug 2012
    Posts
    16
    Thank Post
    9
    Thanked 8 Times in 7 Posts
    Rep Power
    237
    Also that's protocol 6 (TCP) not Port 6 you are for sure using this on port 80 at least

  9. Thanks to SimonD from:

    Gatt (21st May 2013)

  10. #6


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    Hey we're all buddies together on here, right?

    Guy in the pic reminds me of Gav for some reason.... ;-P

  11. Thanks to tom_newton from:

    john (22nd May 2013)

  12. #7

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,678
    Thank Post
    861
    Thanked 650 Times in 431 Posts
    Rep Power
    499
    Thanks for the info, I've already turned off one IPS rule after it spammed me for having BitTorrent running! (25 alerts per second isn't good!)
    I'll shut this one off too...

SHARE:
+ Post New Thread

Similar Threads

  1. Less Visiting EduGeek
    By garethedmondson in forum General Chat
    Replies: 12
    Last Post: 16th June 2010, 10:50 PM
  2. Replies: 1
    Last Post: 13th April 2010, 09:51 AM
  3. Question Marks When moving Edugeek Joomla to the main server
    By FN-GM in forum EduGeek Joomla 1.0 Package
    Replies: 4
    Last Post: 3rd July 2008, 09:23 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •