IPS alert every 5 minutes

Hello,

our company is getting IPS alert every 5 minutes (it started 12.5.2020, but our mail gateway blocked delivery of alert messages). There are different source ip addresses (total 84 IP adresses from GB, USA and EU), but destination is always the same - our WSUS server.

We used Sophos Virus Removal Tool on that server and it finished OK - no threats found.

 

What could this mean? Should we be worried? What should we check?

 

 

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: BROWSER-IE Microsoft Edge App-v vbs command attempt
Details........: https://www.snort.org/search?query=48053
Time...........: 2020-05-21 10:10:46
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)

Source IP address: 8.241.45.126
Source port: 80 (http)
Destination IP address: ***
Destination port: 50027
       
--
System Uptime      : 34 days 15 hours 1 minute
System Load        : 0.31
System Version     : Sophos UTM 9.703-2

Please refer to the manual for detailed instructions.

  • In reply to PatrickLee:

    Hi, thanks. Looks like false positive in our case too, looks like our WSUS is trying to download update KB4556799 (released 12.5.2020) and cant - It says "update is not downloaded yet" on WSUS console... I know I can disable rule manually on UTM, but since Im not 100% sure I wont (and also I guess the rule was created on some other legitimate attack, so I dont want to disable it completely)

  • In reply to Jan Novak:

    Because we are sure this is a false positive, we create a temporary IPS exception for Rule 48053 at our customers.

     

  • In reply to dirkkotte:

    This problem no longer exists.

    Cheers - Bob

  • In reply to BAlfson:

    Hello,

    well it still exist at us.

     

     

    Intrusion Prevention Alert

    An intrusion has been detected. The packet has been dropped automatically.
    You can toggle this rule between "drop" and "alert only" in WebAdmin.

    Details about the intrusion alert:

    Message........: BROWSER-IE Microsoft Edge App-v vbs command attempt
    Details........: https://www.snort.org/search?query=48053
    Time...........: 2020-05-25 07:30:58
    Packet dropped.: yes
    Priority.......: high
    Classification.: Attempted User Privilege Gain
    IP protocol....: 6 (TCP)

    Source IP address: 67.27.235.126
    Source port: 80 (http)
    Destination IP address: *
    Destination port: 59849
           
    --
    System Uptime      : 3 days 10 hours 23 minutes
    System Load        : 0.52
    System Version     : Sophos UTM 9.703-3

    Please refer to the manual for detailed instructions.

  • In reply to Jan Novak:

    Ahoj Jan and welcome to the UTM Community!

    This is not a false alarm.  I would urge you to forward that to ipaddressing@level3.com along with the corresponding line from the Intrusion Prevention log.  Remember to include your time zone - CEST (UTC+0200)?

    Cheers - Bob