IP preventing a website revision upload..

CasualObserver · 12-20-2011, 01:51 PM

Installed a new untangle 9.1 box at a client last week. They called today saying they could not upload a revision to their website. they tried Ie and Chrome, both did not work. I logged in and disabled IP and it worked. Found the following in the IP logs:

Source: IP address of Internal Computer
Blocked: true
Rule description: "cross site scripting attempt"
Dest: IP address of their externally hosted web server

The code they were udating was only 4 lines long. Not sure if that caused it or if the upload the site uses causes it. Any ideas? I do not see rule ID's listed in the log, which makes finding the rule in Untangle fun to say the least.

Here’s the code:

Nevermind, I have less then five posts, so in their infinite wisdom, Untangle does not allow code or code containing links in posts. So I hope that's not the specific problem.

The error they get while trying is:

Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data.

Anyone have ideas as to the cause or the solution? If disabling a rule, whats the easiest way to find it? Is there a way to instead bypass IP for the IP address of their webserver only?

Thanks!

dbunyard · 12-20-2011, 04:16 PM

You could create a bypass rule for the source IP and the destination IP address as a possible solution. Another possibility would be to FTP the file up (assuming this is possible). I don't think that the code caused the issue, it looks like it was just a false alarm within Untangle. I think that Dirk mentioned an issue with the rule ID not being displayed which has been resolved internally but I can't seem to find that post.

CasualObserver · 12-20-2011, 06:27 PM

This is happening when someone internally tries to update an external web server. Any idea where and how I might create a rule for that?

The firewall is not blocking any traffic from going out except for port 25 for SMTP from the workstations.

Which module would I need to make the rule in and how might I go about it? It is a normal webpage for the update so should be port 80, but not sure port number for the incoming responses from the server back.

I would prefer not to totally disable the Intrusion Prevention completely.

Thanks again!

sky-knight · 12-20-2011, 07:44 PM

The Intrusion Prevention module is exactly what it is. However, IPS by its nature is full of false positives and edge cases that make deploying an IPS a labor intensive decision. It isn't "good" or "bad" that the rule in question is being triggered. It is up to you as an admin to decide how you want to handle this event. The IPS module is not going to stop rogue anti-malware applications, that isn't its purpose.

If you wish to continue using the module you have three choices assuming you wish to enable the functionality that is currently broken.

1.) Create a bypass rule that exempts traffic destined for the server in question from being filtered.
2.) Disable the rule in the IPS module that is causing the issue.
3.) Use the policy manager to route the traffic into a rack specially configured to not use that particular test when things are bound for that particular server.

CasualObserver · 12-20-2011, 08:06 PM

Quote:

Originally Posted by sky-knight

1.) Create a bypass rule that exempts traffic destined for the server in question from being filtered.
2.) Disable the rule in the IPS module that is causing the issue.
3.) Use the policy manager to route the traffic into a rack specially configured to not use that particular test when things are bound for that particular server.

Thanks, this is the kind of reply I was looking for. Where in untangle would I create a rule for perferably #1 or possibly #3? Trying to get my head around the way / order in which Untangle routes information through the racks.

I believe excluding this external server IP from the policies would be the best at this point.

dmorris · 12-20-2011, 11:04 PM

config->networking->advanced->bypass rules is for #1
for #3 look under the "policy manager" settings.
for #2 you need to find the rule ID, which will be easy once 9.1.1 comes out and it will be listed in the event log.

Also worth a read:
http://forums.untangle.com/intrusion...ion-9-0-a.html

12-20-2011, 01:51 PM	#1 (permalink)
CasualObserver Newbie Join Date: Dec 2011 Posts: 3	IP preventing a website revision upload.. Installed a new untangle 9.1 box at a client last week. They called today saying they could not upload a revision to their website. they tried Ie and Chrome, both did not work. I logged in and disabled IP and it worked. Found the following in the IP logs: Source: IP address of Internal Computer Blocked: true Rule description: "cross site scripting attempt" Dest: IP address of their externally hosted web server The code they were udating was only 4 lines long. Not sure if that caused it or if the upload the site uses causes it. Any ideas? I do not see rule ID's listed in the log, which makes finding the rule in Untangle fun to say the least. Here’s the code: Nevermind, I have less then five posts, so in their infinite wisdom, Untangle does not allow code or code containing links in posts. So I hope that's not the specific problem. The error they get while trying is: Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data. Anyone have ideas as to the cause or the solution? If disabling a rule, whats the easiest way to find it? Is there a way to instead bypass IP for the IP address of their webserver only? Thanks!

12-20-2011, 04:16 PM	#2 (permalink)
dbunyard Join Date: Nov 2008 Location: Westerville, Ohio, USA Posts: 1,021	You could create a bypass rule for the source IP and the destination IP address as a possible solution. Another possibility would be to FTP the file up (assuming this is possible). I don't think that the code caused the issue, it looks like it was just a false alarm within Untangle. I think that Dirk mentioned an issue with the rule ID not being displayed which has been resolved internally but I can't seem to find that post. __________________ Dan You may one day find something interesting here. Today is not that day. Tomorrow isn't looking too good either.

12-20-2011, 06:27 PM	#3 (permalink)
CasualObserver Newbie Join Date: Dec 2011 Posts: 3	This is happening when someone internally tries to update an external web server. Any idea where and how I might create a rule for that? The firewall is not blocking any traffic from going out except for port 25 for SMTP from the workstations. Which module would I need to make the rule in and how might I go about it? It is a normal webpage for the update so should be port 80, but not sure port number for the incoming responses from the server back. I would prefer not to totally disable the Intrusion Prevention completely. Thanks again! Last edited by CasualObserver; 12-20-2011 at 08:04 PM..

12-20-2011, 07:44 PM	#4 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,457	The Intrusion Prevention module is exactly what it is. However, IPS by its nature is full of false positives and edge cases that make deploying an IPS a labor intensive decision. It isn't "good" or "bad" that the rule in question is being triggered. It is up to you as an admin to decide how you want to handle this event. The IPS module is not going to stop rogue anti-malware applications, that isn't its purpose. If you wish to continue using the module you have three choices assuming you wish to enable the functionality that is currently broken. 1.) Create a bypass rule that exempts traffic destined for the server in question from being filtered. 2.) Disable the rule in the IPS module that is causing the issue. 3.) Use the policy manager to route the traffic into a rack specially configured to not use that particular test when things are bound for that particular server. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

12-20-2011, 11:04 PM	#6 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,613	config->networking->advanced->bypass rules is for #1 for #3 look under the "policy manager" settings. for #2 you need to find the rule ID, which will be easy once 9.1.1 comes out and it will be listed in the event log. Also worth a read: http://forums.untangle.com/intrusion...ion-9-0-a.html __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

Protect

Filter

Perform

Connect

Manage

Add-Ons