[Bug 1933396] Re: fwsnort rule blocks canonical ip

[Brian Murray]

** Package changed: ubuntu-release-upgrader (Ubuntu) => fwsnort (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/1933396

Title:
  fwsnort rule blocks canonical ip

Status in fwsnort package in Ubuntu:
  New

Bug description:
   am trying to update and I get the following error from synaptic: W:
  Failed to get http://archive.ubuntu.com/ubuntu/pool/main/l/linux-
  hwe-5.4/linux-modules-extra-5.4.0-77-generic_5.4.0-77.86~18.04.1_amd64
  .deb Connection failed [IP: 2001: 67c: 1360: 8001 :: 23 80] checking
  mutt mail I get psad crash alerts configured with fwsnort:

  Danger level: [2] (out of 5)

  Scanned TCP ports: [42400: 1 packets]
          TCP flags: [ACK: 1 packets]
     iptables chain: FWSNORT_INPUT_ESTAB (prefix "[401] REJ SID1797 ESTAB"), 1 packets
       fwsnort rule: 401

             Source: 2001: 067c: 1360: 8001: 0000: 0000: 0000: 0023
                DNS: [No reverse dns info available]
  [+] TCP scan signatures:

  "PORN BDSM" dst port: 42400 (no server bound to local port) flags: ACK
  content: "BDSM" sid: 1797 chain: FWSNORT_INPUT_ESTAB packets: 1
  classtype: kickass-porn

  and the same for ipv4

  Danger level: [2] (out of 5)

  Scanned TCP ports: [51378: 1 packets]
          TCP flags: [ACK: 1 packets]
     iptables chain: FWSNORT_INPUT_ESTAB (prefix "[515] REJ SID1797 ESTAB"), 1 packets
       fwsnort rule: 515

             Source: 91.189.88.152
                DNS: [No reverse dns info available]
  [+] TCP scan signatures:

  "PORN BDSM" dst port: 51378 (no server bound to local port) flags: ACK
  content: "BDSM" sid: 1797 chain: FWSNORT_INPUT_ESTAB packets: 1
  classtype: kickass-porn

  I am trying to download the file
  http://archive.ubuntu.com/ubuntu/pool/main/l/linux-hwe-5.4/linux-
  modules-extra-5.4.0-77-generic_5.4.0-77.86~18.04.1_amd64. deb from
  brave browser manually and the malwarebyte extension blocks the
  download as a suspicious site. Could I be facing a DNS hijacking? or
  consider this a bug and disable psad-fwsnort and update without risk
  of infecting my computer.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: ubuntu-release-upgrader-core 1:18.04.44
  ProcVersionSignature: Ubuntu 5.4.0-74.83~18.04.1-generic 5.4.114
  Uname: Linux 5.4.0-74-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.24
  Architecture: amd64
  CrashDB: ubuntu
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Jun 23 20:33:55 2021
  InstallationDate: Installed on 2020-04-16 (433 days ago)
  InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1)
  PackageArchitecture: all
  SourcePackage: ubuntu-release-upgrader
  Symptom: dist-upgrade
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwsnort/+bug/1933396/+subscriptions