This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS not blocking some attacks

We have a client that is getting hit with a bunch of random attacks lately. They have Symantec Endpoint Protection installed and are getting a ton of popups.

One example is: PHP CGI CVE-2012-1823

Another is Web Attack: Muieblackcat Scanner Request

I have everything enabled under IPS under the Attack Patterns tab but I do not see anywhere to block this specific attack. Is there a way to add these in?

Thanks!

This thread was automatically locked due to age.

0 sachingurung over 6 years ago

Hi Joeseiler,

If you don't see the signature pattern listed then please raise it to support to query the Labs.

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 darrellr over 6 years ago

Being such an old attack (2012 according to the CVE) the recommended settings would not be triggered anyway. I would not depend on the UTM for ALL IDS/IPS needs, if you need to be alerted to scanning attempts for very old stuff like that. I would offload to a standalone IDS/IPS instead.
Cancel
Vote Up 0 Vote Down

Cancel
0 ManuelKarl over 6 years ago

What is your "rule age"-setting set to?

Are all groups configured to "no time limit"?

Maybe on the last tab (advanced) you can add "activate file related patterns".
Cancel
Vote Up 0 Vote Down

Cancel