IPS events detected for internal application

I need a solution

I’m not a programmer and don’t know what the internal application is attempting to do at this point but need some general guidance.  In the last week we started receiving floods of IPS event emails for various IPS detections (generally those below, but there are others).

[SID: 27921] OS Attack: GNU Bash CVE-2014-6278 attack blocked

[SID: 27907] OS Attack: GNU Bash CVE-2014-6271 attack blocked

The IP addresses for both sides of the detection are ours, and there are definitely application processes of ours running that are causing this.  It is an inbound process from a server in our DMZ to a server on the internal network.  The specific executable responsible is listed in the Symantec event email but there still seems to be no way to exclude an executable or the file hash for that executable from IPS dectection, only exclusion for all IPS events on the host(s) or manually selecting the vulnerability from the list of 4,000+ to be excluded.  In the end, there is no safe way to exclude a known program, only known hosts or the vulnerability – neither of which is truly desirable since the potential for a malicious application to get installed on the excluded host(s) exists or you just forego detection of that vulnerability.

Before I talk to the programmers of the application causing the events, I would like to know if these IPS detections are an indication that the program is poorly written or if is is possible that it is written properly and simply triggers the events?  Basically, is it more common that these are caused by crap code or that Symantec is overzealous but leaves us no choice other than excluding the hosts?

The programmers use Delphi for most of their applications and there seems to be a real issue with Symantec detecting many of the apps as malicious via heuristic detection – which is another problem for another day.  They get irrationally upset when their applications are quarantined and accuse us of breaking their stuff all the time.  I’m getting pretty tired of it, really.

Any help, input, or advice is greatly appreciated!



Leave a Reply