Jump to content

Endpoint is sending http requests to ESET with cleartext password?


OlafB
Go to solution Solved by bitfiddler,

Recommended Posts

The last day our firewall IPS has been generating a LOT of Snort IPS (Intrusion Prevention System) warnings about passwords being sent out in cleartext/plaintext over the firewall to ESET servers.

SNORT ID below

SID: 2012870    ET POLICY HTTP Outbound Request contains pw

This has caused all of the Endpoint clients (in ESET PROTECT console) to report failed update/cannot reach ESET update servers.

This warning has not happened previously, and the SNORT rule isn't a new one. 

Has anyone else seen this? 

Link to comment
Share on other sites

  • Administrators

No, passwords are not sent in plain text which is in the case of basic authentication. However, we use digest authentication against update servers.

Link to comment
Share on other sites

OK thanks, so we disabled the SNORT rule SID: 2012870 and updates are working again for now.

For a long term solution we will create a firewall rule to bypass IPS to all ESET update server IP addresses listed in:

https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall#EPNS

especially the IPs listed under the sections:

To download detection engine updates:

To download pico updates:

Link to comment
Share on other sites

  • Solution

There is a text editing error in the rule changed on 12/12/2023 in file emerging-policy.rules for SID: 2012870. The content field is the error.

WAS: content:"pw|3a| ";

NOW: content:"|0d 0a|";

The NOW state is simply carriage return and line feed and is the source for all the false positives being seen on this rule.  

Please, somebody who knows how to report this to appropriate people do so. I'm a NOOB and ignorant.  

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...