Intrusion Prevention Alert An intrusion has been detected. The packet has *not* been dropped. If you want to block packets like this one in the future, set the corresponding intrusion protection rule to "drop" in WebAdmin. Be careful not to block legitimate traffic caused by false alerts though. Details about the intrusion alert: Message........: MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt Details........: https://www.snort.org/search?query=56912 Time...........: 2021-02-12 02:00:32 Packet dropped.: no Priority.......: high Classification.: A Network Trojan was Detected IP protocol....: 6 (TCP) Source IP address: 184.150.154.11 Source port: 80 (http) Destination IP address: xxx.xx.xx.xxx Destination port: 51576
I checked the settings in IPS attack patterns, and all rules are set to "drop"
Firewall log:
2021:02:12-02:00:29 athens snort[29360]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt" group="500" srcip="184.150.154.11" dstip="xxx.xx.xx.xxx" proto="6" srcport="80" dstport="51576" sid="56912" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
I was getting fed up with the messages (figuring they were either false positives or some script kiddie), so I put in a firewall rule in the the hopes of ridding my self of the repeated messages.
Bell-AS577 = 184.15.128.0/18
The messages continue. Anyone with sage advice?
|
|
|
This thread was automatically locked due to age.
