IPS alert every 5 minutes

Check out this threat community.sophos.com/.../atp-alerts-every-4---8-mins

Hi, thanks. Looks like false positive in our case too, looks like our WSUS is trying to download update KB4556799 (released 12.5.2020) and cant - It says "update is not downloaded yet" on WSUS console... I know I can disable rule manually on UTM, but since Im not 100% sure I wont (and also I guess the rule was created on some other legitimate attack, so I dont want to disable it completely)

Because we are sure this is a false positive, we create a temporary IPS exception for Rule 48053 at our customers.

This problem no longer exists.

Cheers - Bob

Hello,

well it still exist at us.

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: BROWSER-IE Microsoft Edge App-v vbs command attempt
Details........: https://www.snort.org/search?query=48053
Time...........: 2020-05-25 07:30:58
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)

Source IP address: 67.27.235.126
Source port: 80 (http)
Destination IP address: *
Destination port: 59849
       
--
System Uptime      : 3 days 10 hours 23 minutes
System Load        : 0.52
System Version     : Sophos UTM 9.703-3

Please refer to the manual for detailed instructions.

Ahoj Jan and welcome to the UTM Community!

This is not a false alarm.  I would urge you to forward that to ipaddressing@level3.com along with the corresponding line from the Intrusion Prevention log.  Remember to include your time zone - CEST (UTC+0200)?

Cheers - Bob

We saw this again for an hour and a quarter this morning at a client's site on the West Coast.  Requests were to several Akamai IPS: 23.194.213.144, 23.194.213.153 & 23.194.213.154.  The last false positive was at 07:28:24 USA PDT (UTC-0700).  I assume that Sophos now has an automated alert in place to fix such misclassifications faster than the problem last month.

Cheers - Bob

Also we have seen this alerts today at only one customers site on:

2.17.120.112

2.17.120.34

2.17.120.35

2.17.120.130

2.22.118.50

2.22.118.75

2.17.120.16

2.17.120.8

2.17.120.11

2.17.120.32

• inetnum: 2.17.116.0 - 2.17.123.255
• netname: AKAMAI-PA
• descr: Akamai Technologies
• country: EU

• inetnum: 2.22.112.0 - 2.22.127.255
• netname: AKAMAI-PA
• descr: Akamai Technologies
• country: GB

Messages:

Seem to be a false positive

Today is the first day when the alerts stopped ariving. I dont know why, maybe because there are new updates from Microsoft...

Hi all,

Unfortunuatly the problem still persists at my side. This started 29-05. When synchronizing WSUS im getting the following IDP warnings every few minutes:

2020-06-17 10:18:19 Daemon.Warning [firewall IP] device="SFW" date=2020-06-17 time=10:18:19 timezone="CEST" device_name="SG330" device_id=[device ID] log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=5 fw_rule_id=57 user_name="" signature_id=39466 signature_msg="FILE-EXECUTABLE Symantec Norton Security IDSvix86 out of bounds read attempt" classification="Attempted Denial of Service" rule_priority=2 src_ip=93.184.221.240 (unresolved)  src_country_code=GBR dst_ip=[local WSUS server]  dst_country_code=R1 protocol="TCP" src_port=80 dst_port=58792 platform="Windows" category="file-executable" target="Client"

Im getting the warnings with the following source IP's and domain names:

• xxxx.deploy.static.akamaitechnologies.com)
• xxxx.routit.net)
• map2.hwcdn.net

And more.

Already updated the patterns, WSUS on Windows Server 2019, Windows updates etc.

Has anyone already find a solution for this?