This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Receiving IPS alerts (2-3 times /day). Usually from the same IP address (sometimes from one within the same range), but content is the same

Intrusion Prevention Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt
Details........: https://www.snort.org/search?query=56912
Time...........: 2021-02-12 02:00:32
Packet dropped.: no
Priority.......: high
Classification.: A Network Trojan was Detected
IP protocol....: 6 (TCP)

Source IP address: 184.150.154.11 
Source port: 80 (http)
Destination IP address: xxx.xx.xx.xxx 
Destination port: 51576


I checked the settings in IPS attack patterns, and all rules are set to "drop"
Firewall log:
2021:02:12-02:00:29 athens snort[29360]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt" group="500" srcip="184.150.154.11" dstip="xxx.xx.xx.xxx" proto="6" srcport="80" dstport="51576" sid="56912" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
I was getting fed up with the messages (figuring they were either false positives or some script kiddie), so I put in a firewall rule in the the hopes of ridding my self of the repeated messages.
Bell-AS577 = 184.15.128.0/18
The messages continue.  Anyone with sage advice?


This thread was automatically locked due to age.
Parents
  • Have to agree with both answers; the problem lies within the network.  It would be nice if the log could reveal the intermediate network address. All internal workstations have Sophos Intercept X installed, so low (but not impossible) likelihood that the problem rests there.  It's probably a remote user.  The kind of user who assures you that they have a reliable anti-virus on their machine, but are lying in order to save 20-30 bucks a year.  We're having an external security audit within the next week, so I'll find out who the culprit is (I have suspects in mind).

  • What do you learn from:

    zgrep 'dstip="184\.150\.154\.11"' /var/log/http/2021/02/*|grep -oP 'srcip=".*?"'|sort -n|uniq -c

    For folks working from their personally-owned devices, the free Sophos Home solution isn't as good as Intercept X, but it's better than most alternatives.  In any case, I would recommend that your organization buy Intercept X for all devices connecting to your office if the organization can't afford to supply laptops to remote workers.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Logs in http directories appear to be empty (40 chars zipped). 

    -rw-r--r-- 1 root log 40 Feb 12 00:00 http-2021-02-12.log.gz
    -rw-r--r-- 1 root log 40 Feb 13 00:00 http-2021-02-13.log.gz
    -rw-r--r-- 1 root log 40 Feb 14 00:00 http-2021-02-14.log.gz

    I was able to roll out Intercept X to most users (had a few extra licenses).  Those who had an self installed solution claimed to have a decent level of protection (ESET, Norton etc) but whether or not their subscription and/or definition library is up to date is another question. 

  • Which means that either the logging or Web Protection configuration needs attention.  Maybe both.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data