Reply
New Member
Posts: 8
Registered: ‎10-02-2017
Kudos: 2

Decoding IPS Alerts

Hi folks,

Where can I go/should I go to decode/understand the IPS Alerts I get.

 

I just got about 30 alerts like this one - 

IPS Alert 1: Executable Code was Detected. Signature ET SHELLCODE Common 0a0a0a0a Heap Spray String. From: 23.204.103.33:80, to: 192.168.99.140:53263, protocol: TCP, in interface: eth1

but I'm not sure exactly what it is saying.  I put the string into Google and quickly got lost in the results.

 

Is there a recommended site that will help Admins understand what "Signature ET SHELLCODE Common 0a0a0a0a Heap Spray String" means?

 

Thanks,

Ubiquiti Employee
Posts: 577
Registered: ‎08-10-2017
Kudos: 311
Solutions: 26

Re: Decoding IPS Alerts

There is a good chance this is a false positive.

This match with the following rule:

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02Man Wink


Basically any traffic from a http server to your home network that contains 0a0a0a0a can trigger this alert.

On version 5.9 you will be able to suppress alerts and you can easily remove any signature that is causing false positives like this one.
Established Member
Posts: 1,507
Registered: ‎08-20-2012
Kudos: 795
Solutions: 19

Re: Decoding IPS Alerts

And how do you really know what's a false positive and what's not.

 

The traffic can come from a server for some legit mobile app but the server might have been hacked etc.

 

I just got a few of this too like this:

 

 

ET SHELLCODE Common 0a0a0a0a Heap Spray String

The IP of this log belongs to a server that seems to belong to some web game developer. Atleast the default http host, what other hosts are are unknown for me.

Emerging Member
Posts: 86
Registered: ‎08-15-2016
Kudos: 24

Re: Decoding IPS Alerts

I just got this in the morning. Looked up the IP Address and it is a bitdefender download site, so most likely false positive as mentioned :/

Member
Posts: 400
Registered: ‎09-23-2018
Kudos: 44
Solutions: 19

Re: Decoding IPS Alerts

What device do you have connected at 192.168.99.140? I've seen a lot of people getting alerts from their smart TVs

New Member
Posts: 8
Registered: ‎10-02-2017
Kudos: 2

Re: Decoding IPS Alerts

.140 is a Windows PC.  
I haven't seen this error in many months.

New Member
Posts: 25
Registered: ‎02-26-2016
Kudos: 2

Re: Decoding IPS Alerts

Sorry to resurrect this but I too had this alert (destination was my phone) and when I first looked into it I discovered this.  I had just finished a FaceTime Video call with my girlfriend (who lives in Freiburg, Germany) on my iPhone 6S.  When I looked into the source IP, it was located iiiiiin (take a guess!!!!!)  Freiburg, Germany.

 

This leads me to believe it is something related to the FaceTime platform, specifically the Video side of it (I made a FaceTime Audio call to her today and didn't get the IPS alerts).  I have not yet had a chance to further test my theory with video calls, or if it affects only iPhones or Macs as well.

 

Here's what I do know:

 

- Time stamp on the alerts lines up with the duration of my FaceTime call.

- (assuming I'm right) Source is located very near to the person being called.

- FaceTime Video (but not Audio)

 

 

I will add on as the points roll in (if they do)

 

Test my theory! Have your significant other (or just some other person) FaceTime Video with you and see if you get any IPS alerts that line up with what I'm thinking.

New Member
Posts: 13
Registered: ‎08-14-2017
Solutions: 1

Re: Decoding IPS Alerts

Someone said video.  My destination server (IP) is my plex server, in my situation. 

New Member
Posts: 6
Registered: ‎01-19-2018

Re: Decoding IPS Alerts

I got this IPS Alert last night from a Microsoft address.  False positive I think.

New Member
Posts: 11
Registered: ‎03-13-2017
Kudos: 2

Re: Decoding IPS Alerts

Also just had this alert from a Microsoft and a Level3 address. Think it’s a windows box trying to update.

 

hopefully false positives 

New Member
Posts: 1
Registered: ‎08-15-2018

Re: Decoding IPS Alerts

Just add add to the knowledge, I got the same alert that went to both of my network DVRs. I’m on Fios, and the originating IP is owned by Verizon, so it checks out as a false alarm as far as I am concerned. 

Member
Posts: 186
Registered: ‎10-23-2016
Kudos: 44
Solutions: 1

Re: Decoding IPS Alerts

I just had an alert to a Verizon ip today  strange, I only have Verizon as a cell provider. 

Highlighted
Member
Posts: 147
Registered: ‎09-09-2015
Kudos: 18
Solutions: 2

Re: Decoding IPS Alerts

Signed into company site and had 300+ alerts.

IPS Alert 1: Executable Code was Detected. Signature ET SHELLCODE Common 0a0a0a0a Heap Spray String. From: 2.23.173.32:80, to: 192.168.0.40:57398, protocol: TCP

Apparently false positive? or? 

Please give kudo's to the people who have helped you and mark your thread as solved when you receive a solution to your issue.
Reply