Jump to content

Endpoint is sending http requests to ESET with cleartext password?


OlafB
Go to solution Solved by bitfiddler,

Recommended Posts

The last day our firewall IPS has been generating a LOT of Snort IPS (Intrusion Prevention System) warnings about passwords being sent out in cleartext/plaintext over the firewall to ESET servers.

SNORT ID below

SID: 2012870    ET POLICY HTTP Outbound Request contains pw

This has caused all of the Endpoint clients (in ESET PROTECT console) to report failed update/cannot reach ESET update servers.

This warning has not happened previously, and the SNORT rule isn't a new one. 

Has anyone else seen this? 

Link to comment
Share on other sites

OK thanks, so we disabled the SNORT rule SID: 2012870 and updates are working again for now.

For a long term solution we will create a firewall rule to bypass IPS to all ESET update server IP addresses listed in:

https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall#EPNS

especially the IPs listed under the sections:

To download detection engine updates:

To download pico updates:

Link to comment
Share on other sites

  • Solution

There is a text editing error in the rule changed on 12/12/2023 in file emerging-policy.rules for SID: 2012870. The content field is the error.

WAS: content:"pw|3a| ";

NOW: content:"|0d 0a|";

The NOW state is simply carriage return and line feed and is the source for all the false positives being seen on this rule.  

Please, somebody who knows how to report this to appropriate people do so. I'm a NOOB and ignorant.  

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...