Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 2362 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False Positive ?

Regex

Ive received such alert,

SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt


SrcIP is my local PC ip. How to interpret it ?
Th Ip shows as FB...

IP address31.13.84.36
Hostnameedge-star-mini-shv-01-vie1.facebook.com
TypePublic
CIDR31.13.84.36/24



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    This policy is used ;) Im also thinking thats a F/P. But i just wanna to be somehow sure. Weird is that it points to a Facebook ip addr with "Sophos Web Appliance" - how is this combined :)

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

  • +1 in reply to Regex

    IPS will inspect for all loaded Snort rules. 

    If some traffic matches, it will alert and block this traffic. 

    https://en.wikipedia.org/wiki/Intrusion_detection_system#Signature-based

    Maybe somebody within Facebook developed a application, which uses similar traffic. 

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    A big Thanks for your explanation and help ;) cheers!

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

  • 0 in reply to LuCar Toni

    Hi all,

    We get a tone of Alerts from IPS with "Sophos Web Appliance arbitrary command execution attempt" when accessing New FACEBOOK Dark Mode.

    How to react to this messages ? Is there an 'Acknowledge' check so that this specific alert will not be received ? ( we're receiving all alerts on e-mail and it's getting annoying )

    LOG message ALERT:

    2020-05-26 09:33:07
    messageid="07002" log_type="IDP" log_component="Signatures" log_subtype="Drop" ips_policy="" ips_policy_id="3" fw_rule_id="5" user="USER@domain.com" sig_id="32997" message="SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt" classification="Attempted Administrator Privilege Gain" rule_priority="2" src_ip="192.168.100.148" src_country="" dst_ip="185.60.218.35dst_country="IRL" protocol="TCP" src_port="50029" dst_port="443" OS="Other" category="server-other" victim="Server"

    Facebook Dark Mode: ->https://www.facebook.com/facebookapp/videos/278999813137341/ 

    For now, IPS settings for the Web Rule is set to : LanToWanGeneral (default one)

Cookie Information Banner