Offentliche Verwaltung Deutschland Group

 View Only
Expand all | Collapse all

Web Attack: Fake Scan Webpage 29 attack blocked.

Jump to Best Answer
  • 1.  Web Attack: Fake Scan Webpage 29 attack blocked.

    Posted Oct 14, 2015 10:58 AM

    Die Anzeige der Seite www.dshield.org wird seit heute browserunabhängig gesperrt; die Meldung in den Security-Logs dazu (Beispiel): "[SID: 28847] Web Attack: Fake Scan Webpage 29 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE".

    Ist jemand zu informieren? Besteht tatsächlich Gefahr?

    Mit der Bitte um Aufklärung

    Peter Habermann

     



  • 2.  RE: Web Attack: Fake Scan Webpage 29 attack blocked.

    Posted Oct 14, 2015 11:03 AM

    I'm able to get to it without issue or alert. Latest NTP definitions are 10/13/2015 r13. Make sure you're at these.



  • 3.  RE: Web Attack: Fake Scan Webpage 29 attack blocked.

    Posted Oct 14, 2015 11:25 AM
      |   view attached

    Thanks Brian, definitions are the same. IDS is still blocking the site; I attached the Client-Management Security-Logs.

    DShield is remarkably the early-warning-system of SANS Internet Storm Center (ISC). May this be a local problem?

    Attachment(s)



  • 4.  RE: Web Attack: Fake Scan Webpage 29 attack blocked.

    Posted Oct 14, 2015 11:36 AM

    I can't really say, I'm able to access and browse the site just fine (no alerts). I tried with both IE and FF.

    Are you using a proxy server?



  • 5.  RE: Web Attack: Fake Scan Webpage 29 attack blocked.

    Posted Oct 14, 2015 11:46 AM

    Hallo Peter,

    Danke für den Beitrag. Sie können es als ein Verdacht auf Fehlalarm, wenn Sie glauben, dass vor Ort auslöst, dass IPS Ereignis in Fehler. https://submit.symantec.com/false_positive/

    Bitte bewahren Sie dieses Themas up-to-date mit Ihren Fortschritt!

    Vielen Dank!

    Mick

    _____________________________________________________________

     

    Hi Peter,

    Thanks for the post.  You can report it as a suspected False Positive if you believe that site is triggering that IPS event in error.  https://submit.symantec.com/false_positive/

    Please keep this thread up-to-date with your progress!

    Many thanks!

    Mick



  • 6.  RE: Web Attack: Fake Scan Webpage 29 attack blocked.

    Posted Oct 14, 2015 12:11 PM

    Hi Mick,

    thanks, report done. And yes, I will.



  • 7.  RE: Web Attack: Fake Scan Webpage 29 attack blocked.

    Posted Oct 14, 2015 12:12 PM

    Thanks - and yes, we are using a proxy server. The IP in the logs - 192.168.245.14 - is actually our proxy server.



  • 8.  RE: Web Attack: Fake Scan Webpage 29 attack blocked.

    Posted Oct 14, 2015 12:17 PM

    Can you bypass it as test just for verification?



  • 9.  RE: Web Attack: Fake Scan Webpage 29 attack blocked.

    Posted Oct 14, 2015 01:09 PM

    Thanks, good idea. I'll check this option tomorrow.



  • 10.  RE: Web Attack: Fake Scan Webpage 29 attack blocked.

    Posted Oct 14, 2015 02:59 PM

    I got the same alert when I tried to access the site in your post.

    IPS alert.PNG

    Details on this attack: http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28847

    If you are sure that this is not a malicious site, you should report this issue to the site administrator so that they can check whats wrong with their site. If this is really a false positive, they can also work with Symantec to solve the issue.



  • 11.  RE: Web Attack: Fake Scan Webpage 29 attack blocked.

    Posted Oct 15, 2015 04:05 AM

    Thanks Seyad,

    the site administrator is informed, awaiting reply. The today diary of dshield.org is shown without any blocking, so I guess it was the code on the yesterday diary, being misinterpreted as an attack.



  • 12.  RE: Web Attack: Fake Scan Webpage 29 attack blocked.
    Best Answer

    Posted Oct 15, 2015 04:21 AM

    Hello,

    This is a false positive attack based on the content of my yesterday's diary regarding based BSOD phone scam. The fact that the page contains sample of HTML code seems to trigger your IDS rule.

    KR,

    Xavier
    ISC Handler