Intelligent IPS

Some time ago, I have informed my colleague to report an issue that URL request to retrieve Awstats of one domain has been blocked by Intrusion Prevention System (IPS) of the Data Center, because I don’t see my request is received by web server. For example, http://192.168.123.123/awstats/cgi-bin/awstats.pl?config=[DOMAIN NAME] , as long as your domain name contains the word “system”, then your request is blocked.

This is their first reply (I just copied and pasted here) from the Data Center Support:

I beleive this is application issue and something to do at your end/server, please check. All your IP able to ping, we didnt block anything sort of application.

OK, fine, usual reply. We know he is one of those high position technical members, we tried to clarify that with few URLs with explanation, then his next reply:

I’ve checked already at my IPS. Your application hit one of our filter and has been blocked, pls refer below filter description

Severity : Critical
Description : This filter detects an attempt to exploit an input validation vulnerability present in the AWStats log analyzer. If successfully exploited, and attacker could execute arbitrary code on the affected web server.

Great, just as what I have suspected. So, I have replied him this is most probably a false positive, is it possible to disable the signature, or improve the signature? But I got a reply:

The IPS block a valid request, thats mean there is a vulnerability with your AWStats.

WTF? Does that mean their IPS is so intelligent and it can detect the latest Awstats version installation has a vulnerability? I have requested them to provide the full packets detail, which shows I am trying to do arbitrary code execution or maybe I can inform Awstats on the “vulnerability”.

Finally he replied:

Pls find the attachment a log from our IPS (It contains a few lines of successful URL blocking, with source and destination IP, severality, hits, that’s all). However we will consult with our vendor to determine the ’signature’ from our IPS.

I think I need to wait at least for a few weeks before get this resolved.

Tags: , ,

2 Responses to “Intelligent IPS”

  1. possible Says:

    I think its possible. Assume that the old version, which has a bug gets the input variables via post of 2 variables,lets call them as username_ and password_. so if the url matches and if those two variables also passes into that url, its normal that the ips may block…check if the awstat is really vulnerable or not. than continue to forcing the ips guy to do his job. you can also ask him to disable the signature.

  2. GuTi Says:

    Hi, they should not assume when the IPS blocks the request means the application is vulnerable, this is totally wrong. Human makes the decision, not machine.

    This is just like they ask users to update server software and applications to prevent DDOS in their report.

    Enabling signature that drops traffic without knowing what is running in the network just makes me sick.

Leave a Reply