I realize this one is pretty unique and probably tough to troubleshoot, but thought I'd share this for anyone else out there that might run into this issue. I've been getting IPS false positives with v19 EAP2 which I believe is coming from a custom component in Home Assistant called browser-mod. I have Home Assistant running on my mini PC home server (172.16.16.1) which has a firewall rule that allows it to communicate with two Amazon Fire HD 8 tablets (172.16.17.1 & 172.16.17.2) that I have wall mounted as a dashboard. Microsoft Edge doesn't exist on these devices and the browser being used to display the dashboards is through an app called Fully Kiosk which I believe uses the Chrome engine.
2022-02-12 15:55:58IPSmessageid="07002" log_type="IDP" log_component="Signatures" log_subtype="Drop" ips_policy="" ips_policy_id="13" fw_rule_id="19" fw_rule_name="Allow devices to Home Assistant" fw_rule_section="Local rule" user="" sig_id="9000310" message="BROWSER-IE Microsoft Edge CVE-2016-3386 Spread Operator Memory Corruption Attempt" classification="Attempted User Privilege Gain" rule_priority="2" src_ip="172.16.16.1" src_country="R1" dst_ip="172.16.17.2" dst_country="R1" protocol="TCP" src_port="8123" dst_port="52860" OS="Windows" category="browser-ie" victim="Client"
I only started receiving these with EAP2 and I've been running this Home Assistant setup with v18 (multiple versions) and v19 EAP1, so I'm not sure if something changed with the IPS definitions recently.
Added additional information.
[edited by: shred at 4:13 PM (GMT -8) on 12 Feb 2022]
