Endpoint is sending http requests to ESET with cleartext password?

[OlafB 1]

The last day our firewall IPS has been generating a LOT of Snort IPS (Intrusion Prevention System) warnings about passwords being sent out in cleartext/plaintext over the firewall to ESET servers.

SNORT ID below

SID: 2012870    ET POLICY HTTP Outbound Request contains pw

This has caused all of the Endpoint clients (in ESET PROTECT console) to report failed update/cannot reach ESET update servers.

This warning has not happened previously, and the SNORT rule isn't a new one. 

Has anyone else seen this? 

[Marcos 5,128]

No, passwords are not sent in plain text which is in the case of basic authentication. However, we use digest authentication against update servers.

[OlafB 1]

OK thanks, so we disabled the SNORT rule SID: 2012870 and updates are working again for now.

For a long term solution we will create a firewall rule to bypass IPS to all ESET update server IP addresses listed in:

https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall#EPNS

especially the IPs listed under the sections:

To download detection engine updates:

To download pico updates:

[bitfiddler 0]

There is a text editing error in the rule changed on 12/12/2023 in file emerging-policy.rules for SID: 2012870. The content field is the error.

WAS: content:"pw|3a| ";

NOW: content:"|0d 0a|";

The NOW state is simply carriage return and line feed and is the source for all the false positives being seen on this rule.  

Please, somebody who knows how to report this to appropriate people do so. I'm a NOOB and ignorant.  

[OlafB 1]

Looks like it WAS a SNORT rule failure as per @bitfiddler