mvdu
Premium
join:2003-07-28
Collegeville, PA
| Norton Personal Firewall 2005 intrusion alert
I'm running NPF 2005 with my KAV 5.0. When I go to allmusic.com, I get this alert:
HTTP_MS_SQL_XML_CrossSiteScripting.
Intruder: 0.0.0.0(2218).
Risk Level: Medium.
Protocol: TCP.
Attacked IP: 63.214.183.16.
Attacked Port: http(80).
Why is this coming up? I only get it on certain allmusic pages - like on the Anna Nalick page. |
|
black knight
Premium
join:2004-06-22
Oxford, CT
clubs: | Checkout this thread
»forum.iamnotageek.com/history/to···0-1.html |
|
boblandy
Premium
join:2002-05-06 | reply to mvdu
you read this, right?
--
look out kid they keep it all hid |
|
mvdu
Premium
join:2003-07-28
Collegeville, PA | Yes, I read the info. on the alert - but still couldn't understand why from that site.
--
Don't Blame Me, I Voted for Kerry! |
|
SvS
join:2001-04-15
Germany
| said by mvdu  :Yes, I read the info. on the alert - but still couldn't understand why from that site. Which site: Intruder: 0.0.0.0 -> Attacked IP: 63.214.183.16?
This apparently originates from your computer. |
|
mvdu
Premium
join:2003-07-28
Collegeville, PA
1 edit | I saw that - I don't have an SQL server. I noticed that allmusic pages have sql in the address.
--
Don't Blame Me, I Voted for Kerry! |
|
SvS
join:2001-04-15
Germany
| Your system sends something which triggers this signature, this may be a false positive - are your IDS Definitions current? In your IDS log the version should read:
Intrusion Detection Signature File Version: 03.03.2005 Rev. 27.
Intrusion Detection Engine Version: 1.9.1. |
|
mvdu
Premium
join:2003-07-28
Collegeville, PA | Yes, that's the version I have. Thanks all for helping - I'll look around for more info. on the alert.
--
Don't Blame Me, I Voted for Kerry! |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
1 edit | reply to boblandy
said by boblandy :you read this, right? It could be a false alarm/positive. Is anyone else getting this? I will pass this thread down to someone at Symantec to confirm it. |
|
mvdu
Premium
join:2003-07-28
Collegeville, PA | Thanks, antdude! I was wondering if it's a false positive, even if the info page says there aren't any FPs with this signature.
--
Don't Blame Me, I Voted for Kerry! |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
4 edits | 
FIRST STEP | 
UNCHECK NOTIFICATIONS ONLY |
said by mvdu :Thanks, antdude! I was wondering if it's a false positive, even if the info page says there aren't any FPs with this signature. My son was getting those alerts and we fixed them. I'll edit this reply as soon as I can go look at his settings and get that information.
EDIT TO ADD: We began by unchecking the ALERT NOTIFICATION - not monitoring for the alert. In the case of allmusic.com that did the trick.
If this does not work or you can not reach that site let me know....It all depends on what other services you have running when you are browsing to that site...
I would consider including Eric Howe's "Agnis" block list that can be used with NPF 2005:
»https://netfiles.uiuc.edu/ehowes/www/res···tm#AGNIS
The AGNIS block lists can be used with Norton Internet Security 2002 Professional, Norton Internet Security 2003, Norton Internet Security 2003 Professional, Norton Personal Firewall 2003, Norton Internet Security 2004, Norton Internet Security 2004 Professional, Norton Personal Firewall 2004, Norton Internet Security 2005, and Norton Personal Firewall 2005, however, you must use the ProWAGoN utility written by Christian Haagensen to load, remove, and backup the block lists.
»https://netfiles.uiuc.edu/ehowes/www/res···tm#AGNIS
Prowagon:
»https://netfiles.uiuc.edu/ehowes/www/res···prowagon
Note: For current updates see:
»Security Software Updates 17 April 2005
 |
|
mvdu
Premium
join:2003-07-28
Collegeville, PA | Thanks, amysheehan! That will be a big help. I have done as you suggested.
--
Don't Blame Me, I Voted for Kerry! |
|
zog_2005
join:2004-10-25
Santa Monica, CA
| Hi mvdu,
I am having trouble reproducing this particular attack. I went to www.allmusic.com and then searched for Ann Nalick in the search box. This did bring up the Anna Nalick page, but no attack.
I'm going to have some other folks on my team take a look at it.
--
Intrusion Detection/Intrusion Prevention EngineeringSymantec Corporation. |
|
mvdu
Premium
join:2003-07-28
Collegeville, PA
1 edit | Hi, zog:
Make sure you also go to her discography page and the Wreck Of The Day page.
I recently got a new computer (Sony VAIO,) so maybe it has to do with software/hardware that came on it?
--
Don't Blame Me, I Voted for Kerry! |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| said by mvdu :I recently got a new computer (Sony VAIO,) so maybe it has to do with software/hardware that came on it? My son's got a Sony laptop [newer] with all the Sound Forge? things..That's what we thought were conflicting...
|
|
