Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Prevention of attacks - blacklist source (Kerio Control blocks SSL certificate of correct page)
  •  
Ales

Messages: 4
Karma: -2
Send a private message to this user
Hello,
This week my colleague said she can not join h-t-t-p-s:"//countrystores.vispronet.cz/", which she translates.
I found out that without a proxy I will join the site, with a proxy (Kerio Control) no longer. When I detected the problem, I found this in my log:

[21 / Jun / 2017 13:44:23] IPS: Packet drop, severity: High, Rule ID: 1: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 193.158.223.11:443 (countrystores.vispronet.cz) -> 192.168.1.163:53752 (user: pdubska <at> interflag.local)

[21 / Jun / 2017 13:45:59] IPS: Packet drop, severity: High, Rule ID: 1: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 193.158.223.11:443 (countrystores.vispronet.cz) -> 192.168.1.163:53801 (user: pdubska <at> interflag.local)

I contacted SachsenFahnen but they are a problem on your part. I had to make an exception. I tried to find the database from which you found this ssl certificate (Dridex), but I did not find it on h-t-t-p-s:"//sslbl.abuse.ch/".
Can you check if this is an error on your side, or can I send the source where you identified the ssl certificate as dangerous?

I sent this query two days ago at GFI, yet without any response. Sad

Thank you very much.

Aleš Ulrych

PS: I apologize for the degraded links, the kerio forum will not allow me to send links. But you can adjust them. Smile
  •  
ian.bugeja

Messages: 4
Karma: 0
Send a private message to this user
Hi

The site countrystores.vispronet.cz over HTTPS is in fact using an invalid certificate.

Result from DigiCert independent test.

DNS resolves countrystores.vispronet.cz to 193.158.223.11

HTTP Server Header: nginx

SSL certificate

Common Name = countrystores.vispronet.pl
Subject Alternative Names = countrystores.vispronet.cz, countrystores.vispronet.fr
Issuer = countrystores.vispronet.pl
Serial Number = 8831DAB75AA88234
SHA1 Thumbprint = 2C05DD551BE26FE51FE4B144AA2ED65396B8A044
Key Length = 2048
Signature algorithm = SHA256 + RSA (excellent)
Secure Renegotiation: Supported
SSL Certificate has not been revoked

OCSP Staple: Not Enabled
OCSP Origin: Not Enabled
CRL Status: Not Enabled

SSL Certificate expires soon

The primary SSL certificate expires on July 15, 2017 (19 days remaining)

Certificate Name matches countrystores.vispronet.cz


Subject countrystores.vispronet.pl
Valid from 15/Jun/2017 to 15/Jul/2017
Issuer countrystores.vispronet.pl
SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

Ian Bugeja
GFI Software
  •  
Ales

Messages: 4
Karma: -2
Send a private message to this user
Yes, you are right, SSL Certificate is not trusted, but there is no problem. The use of certificates whose authority is not verified can not always be wrong.

I myself use the certificate created by Kerio Connect to access the email and I do not consider it an error for internal purposes (at work).

Here is the problem that this certificate is blocked before the browser notifies me of invalidation of the certificate (or untrusted authority).

That's why I wanted to know which Kerio Control certificate database is defective from.
  •  
areichmann

Messages: 68
Karma: 3
Send a private message to this user
Access is blocked (droped) by Kerio Control IPS. IPS: Packet drop, severity: High, Rule ID: 1: 2022535

Sure you can use Control to access a web page with self signed certificate Wink.

Kerio IPS Rules are pretty old ... so seems to be a false/positive.

See: http://forums.kerio.com/t/32669//

You can setup control to ignore the IPS Rule (own risk Wink.

http://manuals.gfi.com/en/kerio/control/content/security/con figuring-intrusion-prevention-system-1324.html

Configuring ignored intrusions
In some cases, legitimate traffic may be detected as an intrusion. If this happens, define an exception for the intrusion:
In the administration interface, go to the Security log.
Locate the log event indicating the filtered traffic. For example: "IPS: Alert, severity: Medium, Rule ID: 1:2009700 ET VOIP Multiple Unauthorized SIP Responses"
Copy the rule ID number.
In the administration interface, go to Intrusion Prevention.
Click Advanced.
In the Advanced Intrusion Prevention Settings dialog, click Add.
Paste the rule ID number and a description.
Click OK and Apply.
The legitimate traffic is allowed now.

[Updated on: Mon, 26 June 2017 17:34]

Previous Topic: Anti-Spoofing and WLAN Devices
Next Topic: َallow specified URL group after quota exceed
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Jul 29 13:42:28 CEST 2017

Total time taken to generate the page: 0.00448 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.