Gregg Hill Posted June 2, 2020 Report Share Posted June 2, 2020 Hello! I just tried to check my Nitro Pro application's availability for upgrade and it fails to load the upgrade page (I get a blank page), showing this Intrusion Prevention error in my WatchGuard firewall’s traffic monitor. “signature_name="WEB-CLIENT Javascript Obfuscation in Exploit Kits - 12 (Ransomware Attack Vector” Full line where it shows the problem (I obfuscated my real serial number): 2020-06-01 17:51:37 Deny src_ip=192.168.16.193 dst_ip=104.16.242.229 pr=https/tcp src_port=58534 dst_port=443 src_intf=1-VLAN1-PrivateLAN dst_intf=0-External msg=ProxyDeny: HTTP body IPS match pckt_len= ttl= policy=(HTTPS-proxy-Mgmt-Office.Out-00) proxy_action=HTTP-Client.Mgmt-DPI proc_id="http-proxy" rc="595" msg_id="1AFF-0026" proxy_act="HTTP-Client.Mgmt-DPI" reason="" signature_id="1131148" severity="4" signature_name="WEB-CLIENT Javascript Obfuscation in Exploit Kits - 12 (Ransomware Attack Vector)" signature_cat="Exploits" sig_vers="18.094" host="store.gonitro.com" path="/304/purl-Pro13Upgrade?x-serial=234611121179123456" geo_dst="USA" Traffic If I try to go to store.gonitro.com by itself, there is no issue. I cannot check the page source when it fails because it’s a blank page. How can I tell if this is a real IPS hit or a false-positive? Gregg Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now