Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 23518 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS alerts - Have I to be concerned?

FormerMember
FormerMember

Hi,

 

since I am using XG, I'am getting always IPS alerts, and I am concerned about, because I don't know the reason of these alerts.

Are IPS alerts a alert about accessing websites with vulnerabilities or outdated software, or means an IPS alert, that my Network is attacked?

Here are some IPS alerts, wich I always get:

 

 

Have I to be concerned about these alerts, or is it "normal" to get everyday IPS alerts?

 

Regards Meghan

 

 

P.S. I am using lantowan_general IPS policy of XG



This thread was automatically locked due to age.
Parents Reply Children
  • FormerMember
    0 FormerMember in reply to lferrara

    Hi,

     

    today i've got a few new IPS alerts, and I'am not sure what I should do as countermeasure:

    I've looked up the source IP addresses, and thay are listed as Amazon S3 AWS Server, but the IP Lookup tool says that the DNS is broken.

    The strange thing is, that I don't have any Servers, only 2 Windows Clients, one of them is reported as victim, is it possible that Server attacks are running on an Client?

    What could I do as countermeasure? I have already changed the public IP.

     

    Thanks in advance Meghan

     

  • +1 in reply to FormerMember

    Hi Meghan,

    What you're about to embark upon is a process known as "IPS Tuning".

    This requires a fair amount of research on your part, but it's something that is extremely worthwhile and rewarding.

    1. First off, one of the best pieces of advice that I can offer is "get to know your network".

    • Make a list of all of the devices in the network.
    • Write down what services are running on them.
    • Are any of these devices internet facing? If so, write down which ports they use.
    • Write down version and patching numbers - keep this list up-to-date.

    Now you have this list you should begin to understand what's on your network a bit better.

    2. Secondly, what you need to do is start looking at IPS rules that are not relevant to your estate. Some examples of obvious false positives using the above collected information:

    • If the IPS has a rule that looks for a vulnerability in an Apache web server, but you don't have any Apache web servers installed on your estate, you should go and turn them off.
    • Another example is that, if a vulnerability affects Windows XP, but you only have Windows 10 devices, then these can also be filtered out.
    • If the vulnerability is from January 2017, but you patched the affected software to the latest version in July 2017, then these can also be filtered out. This one is a bit more complicated because you have to ensure that the vulnerability has been patched. You can generally find this out by researching the vulnerability and reading release notes for patches.

    What is important, however, is to ensure that you keep a list of rules that you've turned off in case that you decide to install a service later on.

    This now allows you to only have IPS alerts that affect your estate.

    3. Investigating these alerts to find out if they have affected systems is another level of complexity entirely, but I will endeavor to help you if I have the time. For this you need to be capturing the packets across the network and using log data for analysis. If you have the time and experience I would recommend building a server and implementing some form of SIEM tool. I can recommend OSSIM as a free tool for this. What this will do, in its basic form, is collect all of the log data from all of your devices on the network. This makes searching for information or evidence of vulnerability exploitation much easier because it all happens in the same place. More advanced uses include writing correlation rules and real-time monitoring, but for now getting your logs centralised into one place will be really useful.

    4. So for your question above, what is "victim" address? What services are installed on it? Does it have a HTTP server installed? Also, I've noticed a lot of people redacting information such as IP addresses on this page and I'm not really sure why. 192.168 addresses are private addresses and so can't be accessed across the internet. The one IP that you do want to redact is your public-facing IP address - as in what IP your ISP has issued you.

    Anyway, I hope I've helped!

  • FormerMember
    0 FormerMember in reply to RichardHill

    Hi Richard,

     

    thank you so much for your long and very helpful answer!

    The "victim" address is the one of my Windows 10 client, and there is no HTTP Server installed on.

    Thanks for the Information about redacting IP addresses too.

     

    Do you mean devices that are accessable across Internet or devices that can Access Internet with "devices that are Internet facing"?

     

    I am able to install the OSSIM in a virtual machine, or does it have to be installed on a hardware server?

     

    Thank you for help!

     

    Regards Meghan

  • 0 in reply to FormerMember

    Hi Meghan,

    Sorry I'm late. Had a busy weekend boarding my loft up!

    If there is no HTTP server on it then it would seem that you don't need to be concerned about this device in particular. However, what I would say is; if you can get hold of the packets that caused this alert I could investigate them and give you more of an answer. Just because the attacks aren't going to be successful against a device doesn't mean that you should just put up with the traffic. There's a reason why these are being triggered. It could be that the signature is alerting when it shouldn't be - this indicates that it is a "proper" false positive which can be stopped via tuning/disabling the signature (most likely option). But it could also mean that the traffic is genuine attempts at brute forcing - which is obviously of concern and will require you to carry out investigation into the sources and maybe more measure.

    By "internet facing" what I mean is devices that other people on the internet can access. e.g. if you have a web site on your network that general internet users can access.

    On a VM is absolutely fine. I have mine on there. Out of interest; is this your home network or a production on?

    Cheers,

    Rich

Unfiltered HTML