HTTP body IPS match on store.gonitro.com site when checking serial number

I just tried to check my Nitro Pro application's availability for upgrade and it fails to check it, getting this error in FSM traffic monitor. I obfuscated my actual serial number.

2020-06-01 17:51:37 Deny src_ip= dst_ip= pr=https/tcp src_port=58534 dst_port=443 src_intf=1-VLAN1-PrivateLAN dst_intf=0-External msg=ProxyDeny: HTTP body IPS match pckt_len= ttl= policy=(HTTPS-proxy-Mgmt-Office.Out-00) proxy_action=HTTP-Client.Mgmt-DPI proc_id="http-proxy" rc="595" msg_id="1AFF-0026" proxy_act="HTTP-Client.Mgmt-DPI" reason="" signature_id="1131148" severity="4" signature_name="WEB-CLIENT Javascript Obfuscation in Exploit Kits - 12 (Ransomware Attack Vector)" signature_cat="Exploits" sig_vers="18.094" host="store.gonitro.com" path="/304/purl-Pro13Upgrade?x-serial=234600121xxxxxx" geo_dst="USA" Traffic

If I try to go to store.gonitro.com by itself, there is no issue. I cannot check the page source when it fails because its a blank page.

How can I tell if this is real or a false-positive?


Gregg Hill


  • Options
    edited June 2020

    Not so easily, alas.
    The provider of the IPS info does not give much here:
    http://www.watchguard.com/SecurityPortal/ThreatDetail.aspx?rule_id=1131148&includedIn=Full, Enhanced, Standard

    Description: Multiple vulnerabilities were found in several web browsers, which allow remote attackers to execute arbitrary code

    Impact: Remote code execution
    Recommendation: Update vendor's patch.

    Additional Information:

    A pretty much useless description.
    No CVE or NIST number to check this out.

    A search for "Javascript Obfuscation in Exploit Kits - 12" returns only 2 hits with no useful info.
    A search for "Javascript Obfuscation in Exploit Kits", not much better.

    So there is no way to tell.
    Open a support incident and COMPLAIN about the useless IPS info here.

    If there is no way to tell that this is a positive or false positive, why bother having it in the IPS database??????????????????????

Sign In to comment.