OlafB 1 Posted December 15, 2023 Share Posted December 15, 2023 The last day our firewall IPS has been generating a LOT of Snort IPS (Intrusion Prevention System) warnings about passwords being sent out in cleartext/plaintext over the firewall to ESET servers. SNORT ID below SID: 2012870 ET POLICY HTTP Outbound Request contains pw This has caused all of the Endpoint clients (in ESET PROTECT console) to report failed update/cannot reach ESET update servers. This warning has not happened previously, and the SNORT rule isn't a new one. Has anyone else seen this? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,397 Posted December 15, 2023 Administrators Share Posted December 15, 2023 No, passwords are not sent in plain text which is in the case of basic authentication. However, we use digest authentication against update servers. Link to comment Share on other sites More sharing options...
OlafB 1 Posted December 15, 2023 Author Share Posted December 15, 2023 OK thanks, so we disabled the SNORT rule SID: 2012870 and updates are working again for now. For a long term solution we will create a firewall rule to bypass IPS to all ESET update server IP addresses listed in: https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall#EPNS especially the IPs listed under the sections: To download detection engine updates: To download pico updates: Link to comment Share on other sites More sharing options...
Solution bitfiddler 0 Posted December 16, 2023 Solution Share Posted December 16, 2023 There is a text editing error in the rule changed on 12/12/2023 in file emerging-policy.rules for SID: 2012870. The content field is the error. WAS: content:"pw|3a| "; NOW: content:"|0d 0a|"; The NOW state is simply carriage return and line feed and is the source for all the false positives being seen on this rule. Please, somebody who knows how to report this to appropriate people do so. I'm a NOOB and ignorant. Link to comment Share on other sites More sharing options...
OlafB 1 Posted December 20, 2023 Author Share Posted December 20, 2023 Looks like it WAS a SNORT rule failure as per @bitfiddler Link to comment Share on other sites More sharing options...
Recommended Posts