Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Kerio security (About security log (RUSSIAN TEXT))
  •  
AlnXpr

Messages: 2
Karma: 0
Send a private message to this user
Здравствуйте!

Хочу поделиться опытом.
Столкнулся с проблемой, на которую не смог найти объяснения.
SECURITY.LOG:
[dd/mm/yyyy hh:mm:ss] IPS: Alert, severity: High, Rule ID: 1:2016897 ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5, proto:TCP, ip/port:0.0.0.0:65535 (MyPC, user:User<_at_>Domain.RU) -> 166.78.1.97:80 (www.kerio.com)

Где [dd/mm/yyyy hh:mm:ss] конкретные дата и время; 0.0.0.0:65535 конкретные IP:Port; MyPC, User<_at_>Domain.RU конкретные NetBIOS имя и аккаунт пользователя в домене (по некоторым причинам я не даю эти параметры, а представил в таком, общем виде).
Итак, данная строчка из SECURITY.LOG даёт понять, что сработал механизм защиты Предотвращения вторжения, а именно, в узле MyPC с IP 0.0.0.0 под аккаунтом User<_at_>Domain.RU замечена активность вредоносного кода.
Вот это правило (строчка).
KERIO-HIGH-ALERT.RULES:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5"; flow:established,to_server; content:" MSIE 9.0|3b| Windows NT 5."; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s9\.0\x3b\sWindows\sNT\s5\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; reference:url,windows.microsoft.com/en-us/internet-explorer/products/ie-9/system-requirements; classtype:trojan-activity; sid:2016897; rev:6;)

В моём случае срабатывание происходит из-за браузера Opera, когда меняется User-Agent. Если поменять User-Agent с Opera на Firefox, то срабатывания не будет, но стоит понять на Internet explorer, сработает механизм Предотвращения вторжения.

Надеюсь, что информация была полезной, спасибо за внимание!

  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
Please in English otherwise others can't help you.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
AlnXpr

Messages: 2
Karma: 0
Send a private message to this user
Hello!

I want to share the experience.
Faced with a problem that could not find an explanation.
SECURITY.LOG:
[dd/mm/yyyy hh:mm:ss] IPS: Alert, severity: High, Rule ID: 1:2016897 ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5, proto:TCP, ip/port:0.0.0.0:65535 (MyPC, user:User<_at_>Domain.RU) -> 166.78.1.97:80 (www.kerio.com)

Where [dd / mm / yyyy hh: mm: ss] specific date and time; 0.0.0.0:65535 specific IP: Port; MyPC , User<_at_>Domain.RU specific NetBIOS name and domain user account (for some reason I do not give these parameters, this general form).
So, this line of SECURITY.LOG makes it clear that the protection mechanism triggered intrusion prevention , that is, the node MyPC with IP 0.0.0.0 under an account of User<_at_>Domain.RU activity seen malicious code.Here is the rule (line).
KERIO-HIGH-ALERT.RULES:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5"; flow:established,to_server; content:" MSIE 9.0|3b| Windows NT 5."; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s9\.0\x3b\sWindows\sNT\s5\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; reference:url,windows.microsoft.com/en-us/internet-explorer/products/ie-9/system-requirements; classtype:trojan-activity; sid:2016897; rev:6;)

In my case the operation is due to the browser Opera , when changing User-Agent . If you change the User-Agent with Opera on Firefox , then the operation will not, but worth understanding on Internet explorer , trigger mechanism intrusion prevention .

I hope that the information was useful, thank you for your attention!
(Forgive me for my english)
  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
Don't worry about your English.
But this is very normal thing. I don't use Opera but now I understand the Trojan remark. Because Opera is acting like IE and Opera isn't compatible with the requirements of IE. So the signature that Opera is sending out isn't IE. So marked as Trojan by Control. Firefox and Opera do have same signature and requirements so those are not marked as Trojan by Control.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
Previous Topic: Filehosts
Next Topic: Setting Up Network Load Balancing, please help
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Oct 21 21:18:27 CEST 2017

Total time taken to generate the page: 0.00379 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.