[Bug 1933396] [NEW] fwsnort rule blocks canonical ip

claudio javier fernandez 1933396 at bugs.launchpad.net
Wed Jun 23 23:38:14 UTC 2021 

Public bug reported:

 am trying to update and I get the following error from synaptic: W:
Failed to get http://archive.ubuntu.com/ubuntu/pool/main/l/linux-hwe-5.4
/linux-modules-extra-5.4.0-77-generic_5.4.0-77.86~18.04.1_amd64 .deb
Connection failed [IP: 2001: 67c: 1360: 8001 :: 23 80] checking mutt
mail I get psad crash alerts configured with fwsnort:

Danger level: [2] (out of 5)

Scanned TCP ports: [42400: 1 packets]
        TCP flags: [ACK: 1 packets]
   iptables chain: FWSNORT_INPUT_ESTAB (prefix "[401] REJ SID1797 ESTAB"), 1 packets
     fwsnort rule: 401

           Source: 2001: 067c: 1360: 8001: 0000: 0000: 0000: 0023
              DNS: [No reverse dns info available]
[+] TCP scan signatures:

"PORN BDSM" dst port: 42400 (no server bound to local port) flags: ACK
content: "BDSM" sid: 1797 chain: FWSNORT_INPUT_ESTAB packets: 1
classtype: kickass-porn

and the same for ipv4

Danger level: [2] (out of 5)

Scanned TCP ports: [51378: 1 packets]
        TCP flags: [ACK: 1 packets]
   iptables chain: FWSNORT_INPUT_ESTAB (prefix "[515] REJ SID1797 ESTAB"), 1 packets
     fwsnort rule: 515

           Source: 91.189.88.152
              DNS: [No reverse dns info available]
[+] TCP scan signatures:

"PORN BDSM" dst port: 51378 (no server bound to local port) flags: ACK
content: "BDSM" sid: 1797 chain: FWSNORT_INPUT_ESTAB packets: 1
classtype: kickass-porn

I am trying to download the file
http://archive.ubuntu.com/ubuntu/pool/main/l/linux-hwe-5.4/linux-
modules-extra-5.4.0-77-generic_5.4.0-77.86~18.04.1_amd64. deb from brave
browser manually and the malwarebyte extension blocks the download as a
suspicious site. Could I be facing a DNS hijacking? or consider this a
bug and disable psad-fwsnort and update without risk of infecting my
computer.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: ubuntu-release-upgrader-core 1:18.04.44
ProcVersionSignature: Ubuntu 5.4.0-74.83~18.04.1-generic 5.4.114
Uname: Linux 5.4.0-74-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.24
Architecture: amd64
CrashDB: ubuntu
CurrentDesktop: ubuntu:GNOME
Date: Wed Jun 23 20:33:55 2021
InstallationDate: Installed on 2020-04-16 (433 days ago)
InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1)
PackageArchitecture: all
SourcePackage: ubuntu-release-upgrader
Symptom: dist-upgrade
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: ubuntu-release-upgrader (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug bionic dist-upgrade

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/1933396

Title:
  fwsnort rule blocks canonical ip

Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
   am trying to update and I get the following error from synaptic: W:
  Failed to get http://archive.ubuntu.com/ubuntu/pool/main/l/linux-
  hwe-5.4/linux-modules-extra-5.4.0-77-generic_5.4.0-77.86~18.04.1_amd64
  .deb Connection failed [IP: 2001: 67c: 1360: 8001 :: 23 80] checking
  mutt mail I get psad crash alerts configured with fwsnort:

  Danger level: [2] (out of 5)

  Scanned TCP ports: [42400: 1 packets]
          TCP flags: [ACK: 1 packets]
     iptables chain: FWSNORT_INPUT_ESTAB (prefix "[401] REJ SID1797 ESTAB"), 1 packets
       fwsnort rule: 401

             Source: 2001: 067c: 1360: 8001: 0000: 0000: 0000: 0023
                DNS: [No reverse dns info available]
  [+] TCP scan signatures:

  "PORN BDSM" dst port: 42400 (no server bound to local port) flags: ACK
  content: "BDSM" sid: 1797 chain: FWSNORT_INPUT_ESTAB packets: 1
  classtype: kickass-porn

  and the same for ipv4

  Danger level: [2] (out of 5)

  Scanned TCP ports: [51378: 1 packets]
          TCP flags: [ACK: 1 packets]
     iptables chain: FWSNORT_INPUT_ESTAB (prefix "[515] REJ SID1797 ESTAB"), 1 packets
       fwsnort rule: 515

             Source: 91.189.88.152
                DNS: [No reverse dns info available]
  [+] TCP scan signatures:

  "PORN BDSM" dst port: 51378 (no server bound to local port) flags: ACK
  content: "BDSM" sid: 1797 chain: FWSNORT_INPUT_ESTAB packets: 1
  classtype: kickass-porn

  I am trying to download the file
  http://archive.ubuntu.com/ubuntu/pool/main/l/linux-hwe-5.4/linux-
  modules-extra-5.4.0-77-generic_5.4.0-77.86~18.04.1_amd64. deb from
  brave browser manually and the malwarebyte extension blocks the
  download as a suspicious site. Could I be facing a DNS hijacking? or
  consider this a bug and disable psad-fwsnort and update without risk
  of infecting my computer.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: ubuntu-release-upgrader-core 1:18.04.44
  ProcVersionSignature: Ubuntu 5.4.0-74.83~18.04.1-generic 5.4.114
  Uname: Linux 5.4.0-74-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.24
  Architecture: amd64
  CrashDB: ubuntu
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Jun 23 20:33:55 2021
  InstallationDate: Installed on 2020-04-16 (433 days ago)
  InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1)
  PackageArchitecture: all
  SourcePackage: ubuntu-release-upgrader
  Symptom: dist-upgrade
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1933396/+subscriptions

More information about the foundations-bugs mailing list