Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 1015 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Receiving IPS alerts (2-3 times /day). Usually from the same IP address (sometimes from one within the same range), but content is the same

DavidBurakoff 
Intrusion Prevention Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt
Details........: https://www.snort.org/search?query=56912
Time...........: 2021-02-12 02:00:32
Packet dropped.: no
Priority.......: high
Classification.: A Network Trojan was Detected
IP protocol....: 6 (TCP)

Source IP address: 184.150.154.11 
Source port: 80 (http)
Destination IP address: xxx.xx.xx.xxx 
Destination port: 51576


I checked the settings in IPS attack patterns, and all rules are set to "drop"
Firewall log:
2021:02:12-02:00:29 athens snort[29360]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt" group="500" srcip="184.150.154.11" dstip="xxx.xx.xx.xxx" proto="6" srcport="80" dstport="51576" sid="56912" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
I was getting fed up with the messages (figuring they were either false positives or some script kiddie), so I put in a firewall rule in the the hopes of ridding my self of the repeated messages.
Bell-AS577 = 184.15.128.0/18
The messages continue.  Anyone with sage advice?


This thread was automatically locked due to age.
  • 0

    first: The FW-Rule don't match, because the session is established from internal and is written to the session table.
    If there is a session-entry at the session-table no more FW-rules are evaluated.
    So you can't block the traffic this way. Possible you can block the session-initiation by using Bell-AS577 as destination.

    As I said, a response packet is blocked. Access is initiated from your network.
    You should try to find the source of communication.
    It is also important whether the attempt at communication takes place regularly / repeatedly.
    Possible "every time the user starts his PC", every 4 hours, same times every day.
    It may be a false positive .. A regular app may try to reach his update-server.
    The answer you will find within Firewall- or WebFilter-Log.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0

    "Source port: 80 (http)"

    Looks like a response to a request sent by one of the computers behind the UTM.  If you can't identify which one is sending the request, you'll want to scan all your devices to find which one is infected.

    Good luck!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Have to agree with both answers; the problem lies within the network.  It would be nice if the log could reveal the intermediate network address. All internal workstations have Sophos Intercept X installed, so low (but not impossible) likelihood that the problem rests there.  It's probably a remote user.  The kind of user who assures you that they have a reliable anti-virus on their machine, but are lying in order to save 20-30 bucks a year.  We're having an external security audit within the next week, so I'll find out who the culprit is (I have suspects in mind).

  • 0 in reply to DavidBurakoff

    What do you learn from:

    zgrep 'dstip="184\.150\.154\.11"' /var/log/http/2021/02/*|grep -oP 'srcip=".*?"'|sort -n|uniq -c

    For folks working from their personally-owned devices, the free Sophos Home solution isn't as good as Intercept X, but it's better than most alternatives.  In any case, I would recommend that your organization buy Intercept X for all devices connecting to your office if the organization can't afford to supply laptops to remote workers.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Logs in http directories appear to be empty (40 chars zipped). 

    -rw-r--r-- 1 root log 40 Feb 12 00:00 http-2021-02-12.log.gz
    -rw-r--r-- 1 root log 40 Feb 13 00:00 http-2021-02-13.log.gz
    -rw-r--r-- 1 root log 40 Feb 14 00:00 http-2021-02-14.log.gz

    I was able to roll out Intercept X to most users (had a few extra licenses).  Those who had an self installed solution claimed to have a decent level of protection (ESET, Norton etc) but whether or not their subscription and/or definition library is up to date is another question. 

  • 0 in reply to DavidBurakoff

    Which means that either the logging or Web Protection configuration needs attention.  Maybe both.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML