This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion protection alert SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1679 attack attempt

Hello,

our Sophos UTM 9 ( latest firmware 9.713-19 ) started to block backups of certain systems that always worked before.

2023:01:16-21:05:07 fwname snort[18187]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1679 attack attempt" group="500" srcip="SERVER1" dstip="FILESERVER" proto="6" srcport="59857" dstport="445" sid="60967" class="Attempted Denial of Service" priority="2" generator="1" msgid="0"

This is the only thing I can see in the logs. These backups have always worked before but now the Firewall keeps blocking them.

There is no information as to what is being blocked and I have found nothing about TRUFFLEHUNTER on the internet. I have also not found this rule id on the snort website.

Does anybody have any idea what is causing this ? Could this is a false positive ? The destination is always a fileserver, could it be a file on the fileserver ? Is there a way to find out more details as to what exactly is being blocked ? 



This thread was automatically locked due to age.
Parents
  • Have you been able to resolve this issue?
    We have exactly the same problem, while creating backups from Windows 10 hosts with Veeam Agent for Windows installed to a volume on a Netapp CIFS-SVM.

  • Hallo and welcome to the UTM Community!

    I would run more than just Sophos AV.  Does Malwarebytes or Kaspersky,find anything on the server(s) sending the traffic?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Why would anybody in their right mind even mention Kaspersky, much less install it.

    We are in an enterprise Environment, we cannot "just run a scan" with tools like Malwarebytes, it is only free for home users.

    And why does Sophos AV not find anything while Sophos Firewall says there is danger. The worst part of it is the lack of information, there is no indication as to where the danger / file is. One of the servers from where the blocked traffic is being sent is a Backup System Server. Which means its just blocking the Backups and there is no way to set this one specific rule as an exception.

  • What is the OS of the system?

    And, why do you think that any anti-virus will stop this?  This isn't a virus, this is a vulnerability exploit.  Anti-virus doesn't normally affect DDoS based exploits.  That's partially due to an OS vulnerability coupled with a lack of patches applied.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Some are Windows Server 2019 and some are 2022. And I have not suggested it is a virus, my initial question was how do I find what it is, where it is and how to solve it. So far I have not been able to find anything out.

    As for patches, we usually are always on the latest available patches and install updates regularly.

  • I am not entirely convinced that what was given as the Snort link is the correct answer here.  For one, that's an old, old exploit.  Second, looking on Talos' website (Cisco), that vulnerability is an Apple thing and a Zero-day exploit.

    It doesn't appear that the information has been released yet to the public on it, and was only reported the first week of Dec 2022.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Yes that is basically what I have found, but that information did not help me get to a solution.

    I thought it was weird that there would be anything Apple related in a Windows Environment, so I thought that information was something else.

    Also the Firewall seems to classify it as an "Attempted Denial of Service" which makes no sense to me.

Reply
  • Yes that is basically what I have found, but that information did not help me get to a solution.

    I thought it was weird that there would be anything Apple related in a Windows Environment, so I thought that information was something else.

    Also the Firewall seems to classify it as an "Attempted Denial of Service" which makes no sense to me.

Children
No Data