Since about 12-24 hours ago, we lost connection to one of our FTP sites.
Problem is IPS rules. If I create an exception for the site in IPS, traffic flows fine. If I remove it, the firewall is dropping outbound FTP traffic from that server, despite packet filter rules to allow it.
I am not receiving any notifications from the firewall regarding this.
Log shows: 2012:12:04-03:19:52 asg-lon-01 snort[7514]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="APP-DETECT failed FTP login attempt" group="242" srcip="10.0.44.27" dstip="192.168.3.30" proto="6" srcport="21" dstport="42558" sid="13360" class="Misc activity" priority="3" generator="1" msgid="0"
Presume that browser is attempting anonymous first? Then retrying with cached password?
Problem is IPS rules. If I create an exception for the site in IPS, traffic flows fine. If I remove it, the firewall is dropping outbound FTP traffic from that server, despite packet filter rules to allow it.
I am not receiving any notifications from the firewall regarding this.
Log shows: 2012:12:04-03:19:52 asg-lon-01 snort[7514]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="APP-DETECT failed FTP login attempt" group="242" srcip="10.0.44.27" dstip="192.168.3.30" proto="6" srcport="21" dstport="42558" sid="13360" class="Misc activity" priority="3" generator="1" msgid="0"
Presume that browser is attempting anonymous first? Then retrying with cached password?