This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS alert every 5 minutes

Hello,

our company is getting IPS alert every 5 minutes (it started 12.5.2020, but our mail gateway blocked delivery of alert messages). There are different source ip addresses (total 84 IP adresses from GB, USA and EU), but destination is always the same - our WSUS server.

We used Sophos Virus Removal Tool on that server and it finished OK - no threats found.

What could this mean? Should we be worried? What should we check?

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: BROWSER-IE Microsoft Edge App-v vbs command attempt
Details........: https://www.snort.org/search?query=48053
Time...........: 2020-05-21 10:10:46
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)

Source IP address: 8.241.45.126
Source port: 80 (http)
Destination IP address: ***
Destination port: 50027

--
System Uptime : 34 days 15 hours 1 minute
System Load : 0.31
System Version : Sophos UTM 9.703-2

Please refer to the manual for detailed instructions.

This thread was automatically locked due to age.

Parents

0 Jan Novak over 3 years ago

Today is the first day when the alerts stopped ariving. I dont know why, maybe because there are new updates from Microsoft...
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanVerbose over 3 years ago in reply to Jan Novak
Hi all,

Unfortunuatly the problem still persists at my side. This started 29-05. When synchronizing WSUS im getting the following IDP warnings every few minutes:

2020-06-17 10:18:19 Daemon.Warning [firewall IP] device="SFW" date=2020-06-17 time=10:18:19 timezone="CEST" device_name="SG330" device_id=[device ID] log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=5 fw_rule_id=57 user_name="" signature_id=39466 signature_msg="FILE-EXECUTABLE Symantec Norton Security IDSvix86 out of bounds read attempt" classification="Attempted Denial of Service" rule_priority=2 src_ip=93.184.221.240 (unresolved) src_country_code=GBR dst_ip=[local WSUS server] dst_country_code=R1 protocol="TCP" src_port=80 dst_port=58792 platform="Windows" category="file-executable" target="Client"

Im getting the warnings with the following source IP's and domain names:

xxxx.deploy.static.akamaitechnologies.com)

xxxx.routit.net)

map2.hwcdn.net

And more.

Already updated the patterns, WSUS on Windows Server 2019, Windows updates etc.

Has anyone already find a solution for this?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 StefanVerbose over 3 years ago in reply to Jan Novak
Hi all,

Unfortunuatly the problem still persists at my side. This started 29-05. When synchronizing WSUS im getting the following IDP warnings every few minutes:

2020-06-17 10:18:19 Daemon.Warning [firewall IP] device="SFW" date=2020-06-17 time=10:18:19 timezone="CEST" device_name="SG330" device_id=[device ID] log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=5 fw_rule_id=57 user_name="" signature_id=39466 signature_msg="FILE-EXECUTABLE Symantec Norton Security IDSvix86 out of bounds read attempt" classification="Attempted Denial of Service" rule_priority=2 src_ip=93.184.221.240 (unresolved) src_country_code=GBR dst_ip=[local WSUS server] dst_country_code=R1 protocol="TCP" src_port=80 dst_port=58792 platform="Windows" category="file-executable" target="Client"

Im getting the warnings with the following source IP's and domain names:

xxxx.deploy.static.akamaitechnologies.com)

xxxx.routit.net)

map2.hwcdn.net

And more.

Already updated the patterns, WSUS on Windows Server 2019, Windows updates etc.

Has anyone already find a solution for this?
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data