Intrusion protection alert SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1679 attack attempt


our Sophos UTM 9 ( latest firmware 9.713-19 ) started to block backups of certain systems that always worked before.

2023:01:16-21:05:07 fwname snort[18187]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1679 attack attempt" group="500" srcip="SERVER1" dstip="FILESERVER" proto="6" srcport="59857" dstport="445" sid="60967" class="Attempted Denial of Service" priority="2" generator="1" msgid="0"

This is the only thing I can see in the logs. These backups have always worked before but now the Firewall keeps blocking them.

There is no information as to what is being blocked and I have found nothing about TRUFFLEHUNTER on the internet. I have also not found this rule id on the snort website.

Does anybody have any idea what is causing this ? Could this is a false positive ? The destination is always a fileserver, could it be a file on the fileserver ? Is there a way to find out more details as to what exactly is being blocked ? 

  • Hello  ,

    Good day and thanks for reaching out to Sophos and hope you are well. 

    It seems this is legitimate DOS attack as per Snort ID 2101:

    Kindly run a full scan on the end system/server and check if there's any possible infection. 

    If none found and issue would still persist, I may recommend you to open a support ticket for this to be further check by an engineer accordingly. Kindly share the would be caseID to us via DM or by replying to this thread so we can track progress on our end.

    Hope this helps, thanks for your time and patience and thank you for choosing Sophos


    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Have you been able to resolve this issue?
    We have exactly the same problem, while creating backups from Windows 10 hosts with Veeam Agent for Windows installed to a volume on a Netapp CIFS-SVM.

  • No, unfortunately the Problem is still present, even after scanning all the affected Servers with Sophos Antivirus.

  • Hallo and welcome to the UTM Community!

    I would run more than just Sophos AV.  Does Malwarebytes or Kaspersky,find anything on the server(s) sending the traffic?

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Why would anybody in their right mind even mention Kaspersky, much less install it.

    We are in an enterprise Environment, we cannot "just run a scan" with tools like Malwarebytes, it is only free for home users.

    And why does Sophos AV not find anything while Sophos Firewall says there is danger. The worst part of it is the lack of information, there is no indication as to where the danger / file is. One of the servers from where the blocked traffic is being sent is a Backup System Server. Which means its just blocking the Backups and there is no way to set this one specific rule as an exception.

  • What is the OS of the system?

    And, why do you think that any anti-virus will stop this?  This isn't a virus, this is a vulnerability exploit.  Anti-virus doesn't normally affect DDoS based exploits.  That's partially due to an OS vulnerability coupled with a lack of patches applied.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Some are Windows Server 2019 and some are 2022. And I have not suggested it is a virus, my initial question was how do I find what it is, where it is and how to solve it. So far I have not been able to find anything out.

    As for patches, we usually are always on the latest available patches and install updates regularly.

  • I am not entirely convinced that what was given as the Snort link is the correct answer here.  For one, that's an old, old exploit.  Second, looking on Talos' website (Cisco), that vulnerability is an Apple thing and a Zero-day exploit.

    It doesn't appear that the information has been released yet to the public on it, and was only reported the first week of Dec 2022.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Yes that is basically what I have found, but that information did not help me get to a solution.

    I thought it was weird that there would be anything Apple related in a Windows Environment, so I thought that information was something else.

    Also the Firewall seems to classify it as an "Attempted Denial of Service" which makes no sense to me.

  • I can confirm this affects Windows backups. vssFull backups appear to succeed but vssCopy and systemstate backups fail and an IP event is logged on the UTM.

    Rather than modify the rule, I added an exemption skipping Intrusion Protection coming from affected backup clients. I'm unsure which is the better choice, tbh, but my backups are working again...