After several customer complained about msn messenger failing to work(and experiencing it on my network) with no explanation because it wasn't a controlled application i've found this on the IPS log:
id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="POLICY-SOCIAL Microsoft MSN Messenger web login attempt" group="360" srcip="172.16.0.22" dstip="65.54.52.254" proto="6" srcport="49350" dstport="80" sid="16525" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
ii'm sorry but that's a load of BS, why is IPS blocking a blatantly NON INTRUSION-NON ATTACK traffic that should only be controlled by application control???
what's worse is that neither "policy social" nor "potential corporate privacy policy violation" are valid categories in the "ATTACK PATTERNS" of the IPS.
The closest is:"Attacks against Client Software" - "Messenger (AOL, MSN)"
and CLEARLY a service login IS NOT AN ATTACK :mad:
as it standas now the best i can do is to disable IPS completely as it's not working as intended and it's policing traffic that it has no business controlling, who know what other myriad of problems this ips thing has caused me that i wasn't aware of the source...
Also, what's even worse is that i had a firewall rule allowing internal network-ALL-ALL which made MSN work perfectly, the moment i disabled that rule(and only allowed web browsing ports from internal network) is when IPS began this bad behaviour, which means that IPS is working wrong on TWO different aspects:
1) policing traffic it has no business touching
2) not detecting ANY pattern at all when it doesn't go a web-browsing port(which is again BS because an IPS should do deep-packet scanning on every packet against known patterns, so you're telling me that msn login is not an msn login unless it goes through port 80?, ludicrous).
Also, as a stopgap i tried adding the rule id="2101" to the modified rules:
2101 [disabled]
and that setting is ignored completely...
The online help also points to a obsolete list: Astaro IPS Rules
which shows 2101 as a MS SMB attack and doesn't even has a "POLICY-SOCIAL" portion....
id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="POLICY-SOCIAL Microsoft MSN Messenger web login attempt" group="360" srcip="172.16.0.22" dstip="65.54.52.254" proto="6" srcport="49350" dstport="80" sid="16525" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
ii'm sorry but that's a load of BS, why is IPS blocking a blatantly NON INTRUSION-NON ATTACK traffic that should only be controlled by application control???
what's worse is that neither "policy social" nor "potential corporate privacy policy violation" are valid categories in the "ATTACK PATTERNS" of the IPS.
The closest is:"Attacks against Client Software" - "Messenger (AOL, MSN)"
and CLEARLY a service login IS NOT AN ATTACK :mad:
as it standas now the best i can do is to disable IPS completely as it's not working as intended and it's policing traffic that it has no business controlling, who know what other myriad of problems this ips thing has caused me that i wasn't aware of the source...
Also, what's even worse is that i had a firewall rule allowing internal network-ALL-ALL which made MSN work perfectly, the moment i disabled that rule(and only allowed web browsing ports from internal network) is when IPS began this bad behaviour, which means that IPS is working wrong on TWO different aspects:
1) policing traffic it has no business touching
2) not detecting ANY pattern at all when it doesn't go a web-browsing port(which is again BS because an IPS should do deep-packet scanning on every packet against known patterns, so you're telling me that msn login is not an msn login unless it goes through port 80?, ludicrous).
Also, as a stopgap i tried adding the rule id="2101" to the modified rules:
2101 [disabled]
and that setting is ignored completely...
The online help also points to a obsolete list: Astaro IPS Rules
which shows 2101 as a MS SMB attack and doesn't even has a "POLICY-SOCIAL" portion....