[Solved] IPS alert on Traffic Originating/Src IPFire Red0

General questions.
Post Reply
User avatar
cbrown
Posts: 41
Joined: December 29th, 2017, 11:54 pm
Location: Texas

[Solved] IPS alert on Traffic Originating/Src IPFire Red0

Post by cbrown » May 19th, 2019, 12:51 pm

The IPS is alerting about every hour on traffic with the source being my IPFire box’s red0 address going to 208.70.186.167. This target address appears to be an ISP, M&A Technology Inc, but this is not someone with which I knowingly have any relationship.

The Emerging Threats rule firing is:
ET POLICY libwww-perl User-Agent
Attempted Information Leak
https://doc.emergingthreats.net/2013030

Would any of you know why my IPFire box would be originating traffic going to the target address?

Thanks,
cbrown
Image

User avatar
cbrown
Posts: 41
Joined: December 29th, 2017, 11:54 pm
Location: Texas

Re: [Solved] IPS alert on Traffic Originating/Src IPFire Red0

Post by cbrown » May 20th, 2019, 2:42 pm

The target site appears to be the repository for "The CINS Army List" timfprogs/ipfblocklist feature.

TimF: if I'm wrong here, please reply.

thx
Image

TimF
Posts: 83
Joined: June 10th, 2017, 7:27 pm

Re: [Solved] IPS alert on Traffic Originating/Src IPFire Red0

Post by TimF » May 20th, 2019, 8:45 pm

It does appear to be the facility that hosts cinsscore.com, and that blocklist is downloaded with libwww-perl.

it should be harmless to disable this rule.

User avatar
cbrown
Posts: 41
Joined: December 29th, 2017, 11:54 pm
Location: Texas

Re: [Solved] IPS alert on Traffic Originating/Src IPFire Red0

Post by cbrown » May 20th, 2019, 9:25 pm

I whitelisted the address.

thx
Image

Post Reply