This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG310 UTM - SID 20842 - Suddenly getting regular intrusion prevention alerts from various source IPs to Windows 10 hosts

First alert we had from rule SID 20842 was on 23 Nov at 17:39 GMT. Since then have had 230 alerts to around 50 different Windows 10 hosts, all this rule, 29 different IP source addresses, all source port 80, various destination ports.

Looking up the source IP addresses most of them look like CDN IPs, some identified as Akamai Technologies, couple I've seen Microsoft update mentioned. Looking at netstat on one host it looked like SearchApp.exe was connected to one of these sources. I checked the SearchApp.exe program certificate and it was genuine.

I just can't understand why this rule is suddenly generating these alerts. If the IPs are genuine CDN sources, why they are generating alerts? I'm not aware of any network or firewall changes that could be a factor.

I've logged a ticket with support, but haven't heard anything back and am desperate to understand what is going on here.

Are these false positives or do we have malware on the network?
If they are false positives why can't I find anything about this particular rule?
Do people routinely disable IPS rules that generate false positives, or whitelist lots of domains after checking they are legit?

Top 10 IPS sources since first alert (all rule 20842):

1	23.73.136.145	66
2	23.73.136.89	52
3	13.107.4.50	28
4	178.79.251.0	12
5	8.238.11.126	7
6	2.22.146.145	6
7	8.238.5.126	5
8	8.238.3.254	5
9	2.22.146.144	4
10	8.238.55.126	4

Full email alert:

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: FILE-OTHER Interactive Data eSignal stack buffer overflow attempt
Details........: https://www.snort.org/search?query=20842
Time...........: 2021-11-23 17:39:17
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)

Source IP address: 13.107.4.50
Source port: 80 (http)
Destination IP address: 192.168.[x].[x]
Destination port: 58759

---

Model: SG310
Firmware: 9.707-5
Pattern: 205149

Any help would be very much appreciated.

This thread was automatically locked due to age.

Top Replies

Jonathan Elliott over 2 years ago +1

We've resolved this by deploying a GPO disabling automatic updates from the Microsoft Store. We've had no more of these IPS alerts since.

MarcusG over 2 years ago

Hello Jonathan, i can confirm your Problem, we have the same massive alerts.
Cancel
Vote Up 0 Vote Down

Cancel
Chip Saun over 2 years ago

We also habe the Same Alerts on our utm. They begun at the same time like your alerts
Cancel
Vote Up 0 Vote Down

Cancel
Chip Saun over 2 years ago in reply to Chip Saun

We also have the sid 36661
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 2 years ago

Hi Jonathan, hallo Marcus, and welcome both to the UTM Community!

You might want to keep V9 IPS Rules for future IPS alerts.

Please copy here a line from the Intrusion Prevention log with sid="20842" therein.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
Chip Saun over 2 years ago in reply to BAlfson

2021:11:26-11:34:17 myutm snort[1137]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER Interactive Data eSignal stack buffer overflow attempt" group="500" srcip="8.238.151.254" dstip="192.168.xxx.yyy" proto="6" srcport="80" dstport="54442" sid="20842" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
Cancel
Vote Up 0 Vote Down

Cancel
Chip Saun over 2 years ago in reply to BAlfson

And here the 36661:

2021:11:26-13:25:25 myutm snort[1133]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER Interactive Data eSignal stack buffer overflow attempt" group="500" srcip="178.79.232.128" dstip="192.168.aaa.bbb" proto="6" srcport="80" dstport="52163" sid="36661" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
Cancel
Vote Up 0 Vote Down

Cancel

MarcusG over 2 years ago in reply to BAlfson

Hello Bob, here our log:

2021:11:28-00:31:16 gicfw01-1 snort[18432]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER Interactive Data eSignal stack buffer overflow attempt" group="500" srcip="23.3.89.154" dstip="10.34.6.211" proto="6" srcport="80" dstport="63916" sid="20842" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

Jonathan Elliott over 2 years ago in reply to BAlfson

Hi Bob, here's a line from our log:

2021:11:28-02:05:17 myutm snort[21816]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER Interactive Data eSignal stack buffer overflow attempt" group="500" srcip="8.248.169.254" dstip="192.168.xxx.yyy" proto="6" srcport="80" dstport="50351" sid="20842" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

Note that we've seen hundreds of 20842 alerts now since it started, but none of the 36661 alert Chip mentions.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
StefanT over 2 years ago

Hi,

Just created a case for the same issue.

2021:11:29-12:13:15 fw snort[26400]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER Interactive Data eSignal stack buffer overflow attempt" group="500" srcip="8.238.111.126" dstip="172.16.x.y" proto="6" srcport="80" dstport="50273" sid="20842" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

2021:11:29-12:13:15 fw snort[26400]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER Interactive Data eSignal stack buffer overflow attempt" group="500" srcip="8.238.111.126" dstip="172.16.x.y" proto="6" srcport="80" dstport="50273" sid="20842" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
Cancel
Vote Up 0 Vote Down

Cancel
Jonathan Elliott over 2 years ago in reply to StefanT

Thanks Stefan. I logged my case with support on the 24th and apart from asking my availability for a remote session it's gotten nowhere yet. Hope you have more luck...
Cancel
Vote Up 0 Vote Down

Cancel