Hello,
our company is getting IPS alert every 5 minutes (it started 12.5.2020, but our mail gateway blocked delivery of alert messages). There are different source ip addresses (total 84 IP adresses from GB, USA and EU), but destination is always the same - our WSUS server.
We used Sophos Virus Removal Tool on that server and it finished OK - no threats found.
What could this mean? Should we be worried? What should we check?
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: BROWSER-IE Microsoft Edge App-v vbs command attempt
Details........: https://www.snort.org/search?query=48053
Time...........: 2020-05-21 10:10:46
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)
Source IP address: 8.241.45.126
Source port: 80 (http)
Destination IP address: ***
Destination port: 50027
--
System Uptime : 34 days 15 hours 1 minute
System Load : 0.31
System Version : Sophos UTM 9.703-2
Please refer to the manual for detailed instructions.
This thread was automatically locked due to age.
