First alert we had from rule SID 20842 was on 23 Nov at 17:39 GMT. Since then have had 230 alerts to around 50 different Windows 10 hosts, all this rule, 29 different IP source addresses, all source port 80, various destination ports.
Looking up the source IP addresses most of them look like CDN IPs, some identified as Akamai Technologies, couple I've seen Microsoft update mentioned. Looking at netstat on one host it looked like SearchApp.exe was connected to one of these sources. I checked the SearchApp.exe program certificate and it was genuine. I just can't understand why this rule is suddenly generating these alerts. If the IPs are genuine CDN sources, why they are generating alerts? I'm not aware of any network or firewall changes that could be a factor.I've logged a ticket with support, but haven't heard anything back and am desperate to understand what is going on here.
Top 10 IPS sources since first alert (all rule 20842):
Full email alert:
Intrusion Prevention Alert An intrusion has been detected. The packet has been dropped automatically. You can toggle this rule between "drop" and "alert only" in WebAdmin. Details about the intrusion alert: Message........: FILE-OTHER Interactive Data eSignal stack buffer overflow attempt Details........: https://www.snort.org/search?query=20842 Time...........: 2021-11-23 17:39:17 Packet dropped.: yes Priority.......: high Classification.: Attempted User Privilege Gain IP protocol....: 6 (TCP) Source IP address: 126.96.36.199 Source port: 80 (http) Destination IP address: 192.168.[x].[x] Destination port: 58759
Any help would be very much appreciated.
We've resolved this by deploying a GPO disabling automatic updates from the Microsoft Store. We've had no more of these IPS alerts since.
Just created a case for the same issue.
2021:11:29-12:13:15 fw snort: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER Interactive Data eSignal stack buffer overflow attempt" group="500" srcip="188.8.131.52" dstip="172.16.x.y" proto="6" srcport="80" dstport="50273" sid="20842" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
Thanks Stefan. I logged my case with support on the 24th and apart from asking my availability for a remote session it's gotten nowhere yet. Hope you have more luck...
I got this answer at my case:
"Has Rule ID 20842 been added to Network Protection > Intrusion Prevention > Advanced > Manual Rule Modification > Rule ID = 20842 and set the action to drop? If not, can this be done, please?"
This seems to work, but I am not an expert in firewall's and not sure if this lowers the security. I asked this, but did not get an answer yet.
Thank you for telling us this first workaround!
The automatic rule allready drops the packets matched by the rule
severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER Interactive Data eSignal stack buffer overflow attempt" group="500" srcip="184.108.40.206" dstip="192.168.xxx.yyy" proto="6" srcport="80" dstport="54442" sid="20842" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
yes right, then we have won nothing
Exactly, I know the IPS alerts are already being blocked and can be silenced manually, but I don't want to without knowing what's changed, what's causing them. I've never had to do this before. When you search for the 20842 rule ID and message, this post comes up but there's a lack of other reports from other systems, which surely there would be if it was a problem with the Snort database.
Has anyone had any luck packet tracing on affected hosts?
I do not know how it works, but after adding this I did not get the alert emails anymore.
Today I asked the Sophos technician who handled my case to join this discussion, hopefully he will do that and help solving the questions.
Does the daily executive report of your firewall show any Attacks anymore?
I did not get emails on the snort packet drops, but on the daily report i always see this:
Yes, we have such 10 IPs in Daily Executive Report too.
also the 220.127.116.11 ?