Hello,
There’s something in piwik.js in version 1.2 that triggers a false positive for a certain type of Mozilla Regex Exploit in Snort configurations for Astaro firewall/VPN appliances. For the user it looks like the request to piwik.js is running forever, i.e. the reply is never coming back. The reply is in fact being dropped by Snort (IDS/IPS). You’ll find a message like this in the logs:
2011:03:16-17:19:38 vpn snort[18199]: id=“2101” severity=“warn” sys=“SecureNet” sub=“ips” name=“Intrusion protection alert” action=“drop” reason=“WEB-CLIENT Mozilla regular expression heap corruption attempt” group=“320” srcip="[server-ip]" dstip="[client-ip]" proto=“6” srcport=“80” dstport=“50895” sid=“8443” class=“Attempted User Privilege Gain” priority=“1” generator=“1” msgid=“0”
This seems to be triggered by the following Snort IPS rule: http://www.snort.org/search/sid/8443?r=1
Unfortunately the same rule is known to often cause false positives like in this case. There are two possible workarounds and one possible fix:
Workaround 1: Exclude the Piwik server’s IP address from checks in Snort/Astaro
Workaround 2: Disable the rule in the Snort signatures competely (don’t know if that’s actually an option, I’m no Astaro admin) - the fix is for a vulnerability in Mozilla type browsers that has been reported some four years ago. Being the good admin you are you have by now made sure that none of your users is still using crap that old, right?
Fix: Find the section in piwik.js that’s triggering the rule and try to write it in a way that doesn’t get blocked.
Kind regards
Markus
