Offentliche Verwaltung Deutschland Group

Die Anzeige der Seite www.dshield.org wird seit heute browserunabhängig gesperrt; die Meldung in den Security-Logs dazu (Beispiel): "[SID: 28847] Web Attack: Fake Scan Webpage 29 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE".

Ist jemand zu informieren? Besteht tatsächlich Gefahr?

Mit der Bitte um Aufklärung

Peter Habermann

I'm able to get to it without issue or alert. Latest NTP definitions are 10/13/2015 r13. Make sure you're at these.

Thanks Brian, definitions are the same. IDS is still blocking the site; I attached the Client-Management Security-Logs.

DShield is remarkably the early-warning-system of SANS Internet Storm Center (ISC). May this be a local problem?

Attachment(s)

web_attack_client_management_security_log.zip   1 KB 1 version

I can't really say, I'm able to access and browse the site just fine (no alerts). I tried with both IE and FF.

Are you using a proxy server?

Hallo Peter,

Danke für den Beitrag. Sie können es als ein Verdacht auf Fehlalarm, wenn Sie glauben, dass vor Ort auslöst, dass IPS Ereignis in Fehler. https://submit.symantec.com/false_positive/

Bitte bewahren Sie dieses Themas up-to-date mit Ihren Fortschritt!

Vielen Dank!

Mick

_____________________________________________________________

Hi Peter,

Thanks for the post.  You can report it as a suspected False Positive if you believe that site is triggering that IPS event in error.  https://submit.symantec.com/false_positive/

Please keep this thread up-to-date with your progress!

Many thanks!

Mick

Hi Mick,

thanks, report done. And yes, I will.

Thanks - and yes, we are using a proxy server. The IP in the logs - 192.168.245.14 - is actually our proxy server.

Can you bypass it as test just for verification?

Thanks, good idea. I'll check this option tomorrow.

I got the same alert when I tried to access the site in your post.

Details on this attack: http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28847

If you are sure that this is not a malicious site, you should report this issue to the site administrator so that they can check whats wrong with their site. If this is really a false positive, they can also work with Symantec to solve the issue.

Thanks Seyad,

the site administrator is informed, awaiting reply. The today diary of dshield.org is shown without any blocking, so I guess it was the code on the yesterday diary, being misinterpreted as an attack.

Hello,

This is a false positive attack based on the content of my yesterday's diary regarding based BSOD phone scam. The fact that the page contains sample of HTML code seems to trigger your IDS rule.

KR,

Xavier
ISC Handler