Jump to content
Gregg Hill

Possible threat on your web site?

Recommended Posts

Gregg Hill

Hello!

I just tried to check my Nitro Pro application's availability for upgrade and it fails to load the upgrade page (I get a blank page), showing this Intrusion Prevention error in my WatchGuard firewall’s traffic monitor.

“signature_name="WEB-CLIENT Javascript Obfuscation in Exploit Kits - 12 (Ransomware Attack Vector”

Full line where it shows the problem (I obfuscated my real serial number):

2020-06-01 17:51:37 Deny src_ip=192.168.16.193 dst_ip=104.16.242.229 pr=https/tcp src_port=58534 dst_port=443 src_intf=1-VLAN1-PrivateLAN dst_intf=0-External msg=ProxyDeny: HTTP body IPS match pckt_len= ttl= policy=(HTTPS-proxy-Mgmt-Office.Out-00) proxy_action=HTTP-Client.Mgmt-DPI proc_id="http-proxy" rc="595" msg_id="1AFF-0026" proxy_act="HTTP-Client.Mgmt-DPI" reason="" signature_id="1131148" severity="4" signature_name="WEB-CLIENT Javascript Obfuscation in Exploit Kits - 12 (Ransomware Attack Vector)" signature_cat="Exploits" sig_vers="18.094" host="store.gonitro.com" path="/304/purl-Pro13Upgrade?x-serial=234611121179123456" geo_dst="USA" Traffic

If I try to go to store.gonitro.com by itself, there is no issue. I cannot check the page source when it fails because it’s a blank page.

How can I tell if this is a real IPS hit or a false-positive?

Gregg
 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.