Jump to content

Possible threat on your web site?

Gregg Hill

Recommended Posts

Gregg Hill


I just tried to check my Nitro Pro application's availability for upgrade and it fails to load the upgrade page (I get a blank page), showing this Intrusion Prevention error in my WatchGuard firewall’s traffic monitor.

“signature_name="WEB-CLIENT Javascript Obfuscation in Exploit Kits - 12 (Ransomware Attack Vector”

Full line where it shows the problem (I obfuscated my real serial number):

2020-06-01 17:51:37 Deny src_ip= dst_ip= pr=https/tcp src_port=58534 dst_port=443 src_intf=1-VLAN1-PrivateLAN dst_intf=0-External msg=ProxyDeny: HTTP body IPS match pckt_len= ttl= policy=(HTTPS-proxy-Mgmt-Office.Out-00) proxy_action=HTTP-Client.Mgmt-DPI proc_id="http-proxy" rc="595" msg_id="1AFF-0026" proxy_act="HTTP-Client.Mgmt-DPI" reason="" signature_id="1131148" severity="4" signature_name="WEB-CLIENT Javascript Obfuscation in Exploit Kits - 12 (Ransomware Attack Vector)" signature_cat="Exploits" sig_vers="18.094" host="store.gonitro.com" path="/304/purl-Pro13Upgrade?x-serial=234611121179123456" geo_dst="USA" Traffic

If I try to go to store.gonitro.com by itself, there is no issue. I cannot check the page source when it fails because it’s a blank page.

How can I tell if this is a real IPS hit or a false-positive?


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.