HTTP body IPS match on store.gonitro.com site when checking serial number
I just tried to check my Nitro Pro application's availability for upgrade and it fails to check it, getting this error in FSM traffic monitor. I obfuscated my actual serial number.
2020-06-01 17:51:37 Deny src_ip=192.168.16.193 dst_ip=104.16.242.229 pr=https/tcp src_port=58534 dst_port=443 src_intf=1-VLAN1-PrivateLAN dst_intf=0-External msg=ProxyDeny: HTTP body IPS match pckt_len= ttl= policy=(HTTPS-proxy-Mgmt-Office.Out-00) proxy_action=HTTP-Client.Mgmt-DPI proc_id="http-proxy" rc="595" msg_id="1AFF-0026" proxy_act="HTTP-Client.Mgmt-DPI" reason="" signature_id="1131148" severity="4" signature_name="WEB-CLIENT Javascript Obfuscation in Exploit Kits - 12 (Ransomware Attack Vector)" signature_cat="Exploits" sig_vers="18.094" host="store.gonitro.com" path="/304/purl-Pro13Upgrade?x-serial=234600121xxxxxx" geo_dst="USA" Traffic
If I try to go to store.gonitro.com by itself, there is no issue. I cannot check the page source when it fails because its a blank page.
How can I tell if this is real or a false-positive?
Gregg
Gregg Hill
Comments
Not so easily, alas.
The provider of the IPS info does not give much here:
http://www.watchguard.com/SecurityPortal/ThreatDetail.aspx?rule_id=1131148&includedIn=Full, Enhanced, Standard
Description: Multiple vulnerabilities were found in several web browsers, which allow remote attackers to execute arbitrary code
Impact: Remote code execution
Recommendation: Update vendor's patch.
Additional Information:
N/A
A pretty much useless description.
No CVE or NIST number to check this out.
A search for "Javascript Obfuscation in Exploit Kits - 12" returns only 2 hits with no useful info.
A search for "Javascript Obfuscation in Exploit Kits", not much better.
So there is no way to tell.
Open a support incident and COMPLAIN about the useless IPS info here.
If there is no way to tell that this is a positive or false positive, why bother having it in the IPS database??????????????????????