This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS alert every 5 minutes

Hello,

our company is getting IPS alert every 5 minutes (it started 12.5.2020, but our mail gateway blocked delivery of alert messages). There are different source ip addresses (total 84 IP adresses from GB, USA and EU), but destination is always the same - our WSUS server.

We used Sophos Virus Removal Tool on that server and it finished OK - no threats found.

 

What could this mean? Should we be worried? What should we check?

 

 

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: BROWSER-IE Microsoft Edge App-v vbs command attempt
Details........: https://www.snort.org/search?query=48053
Time...........: 2020-05-21 10:10:46
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)

Source IP address: 8.241.45.126
Source port: 80 (http)
Destination IP address: ***
Destination port: 50027
       
--
System Uptime      : 34 days 15 hours 1 minute
System Load        : 0.31
System Version     : Sophos UTM 9.703-2

Please refer to the manual for detailed instructions.



This thread was automatically locked due to age.
Parents Reply
  • Hi, thanks. Looks like false positive in our case too, looks like our WSUS is trying to download update KB4556799 (released 12.5.2020) and cant - It says "update is not downloaded yet" on WSUS console... I know I can disable rule manually on UTM, but since Im not 100% sure I wont (and also I guess the rule was created on some other legitimate attack, so I dont want to disable it completely)

Children
  • Because we are sure this is a false positive, we create a temporary IPS exception for Rule 48053 at our customers.

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • This problem no longer exists.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello,

    well it still exist at us.

     

     

    Intrusion Prevention Alert

    An intrusion has been detected. The packet has been dropped automatically.
    You can toggle this rule between "drop" and "alert only" in WebAdmin.

    Details about the intrusion alert:

    Message........: BROWSER-IE Microsoft Edge App-v vbs command attempt
    Details........: https://www.snort.org/search?query=48053
    Time...........: 2020-05-25 07:30:58
    Packet dropped.: yes
    Priority.......: high
    Classification.: Attempted User Privilege Gain
    IP protocol....: 6 (TCP)

    Source IP address: 67.27.235.126
    Source port: 80 (http)
    Destination IP address: *
    Destination port: 59849
           
    --
    System Uptime      : 3 days 10 hours 23 minutes
    System Load        : 0.52
    System Version     : Sophos UTM 9.703-3

    Please refer to the manual for detailed instructions.

  • Ahoj Jan and welcome to the UTM Community!

    This is not a false alarm.  I would urge you to forward that to ipaddressing@level3.com along with the corresponding line from the Intrusion Prevention log.  Remember to include your time zone - CEST (UTC+0200)?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • We saw this again for an hour and a quarter this morning at a client's site on the West Coast.  Requests were to several Akamai IPS: 23.194.213.144, 23.194.213.153 & 23.194.213.154.  The last false positive was at 07:28:24 USA PDT (UTC-0700).  I assume that Sophos now has an automated alert in place to fix such misclassifications faster than the problem last month.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA