This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion protection alert SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1679 attack attempt

Hello,

our Sophos UTM 9 ( latest firmware 9.713-19 ) started to block backups of certain systems that always worked before.

2023:01:16-21:05:07 fwname snort[18187]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1679 attack attempt" group="500" srcip="SERVER1" dstip="FILESERVER" proto="6" srcport="59857" dstport="445" sid="60967" class="Attempted Denial of Service" priority="2" generator="1" msgid="0"

This is the only thing I can see in the logs. These backups have always worked before but now the Firewall keeps blocking them.

There is no information as to what is being blocked and I have found nothing about TRUFFLEHUNTER on the internet. I have also not found this rule id on the snort website.

Does anybody have any idea what is causing this ? Could this is a false positive ? The destination is always a fileserver, could it be a file on the fileserver ? Is there a way to find out more details as to what exactly is being blocked ? 



This thread was automatically locked due to age.
Parents
  • Hello  ,

    Good day and thanks for reaching out to Sophos and hope you are well. 

    It seems this is legitimate DOS attack as per Snort ID 2101: https://www.snort.org/rule_docs/1-2101

    Kindly run a full scan on the end system/server and check if there's any possible infection. 

    If none found and issue would still persist, I may recommend you to open a support ticket for this to be further check by an engineer accordingly. Kindly share the would be caseID to us via DM or by replying to this thread so we can track progress on our end.

    Hope this helps, thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Hello  ,

    Good day and thanks for reaching out to Sophos and hope you are well. 

    It seems this is legitimate DOS attack as per Snort ID 2101: https://www.snort.org/rule_docs/1-2101

    Kindly run a full scan on the end system/server and check if there's any possible infection. 

    If none found and issue would still persist, I may recommend you to open a support ticket for this to be further check by an engineer accordingly. Kindly share the would be caseID to us via DM or by replying to this thread so we can track progress on our end.

    Hope this helps, thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Children
No Data