Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 30 subscribers
  • Views 23345 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS - Some signature are false positive

lferrara

Hi There,

after some days, I would like to share some strange things with XG IPS module.

See the screenshot:

I have MAC at home so the first 2 signature cannot be applied.

First Signature CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7279

Second Signature:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0301

Both attacks come from MAC computer IP.

Any idea?

Thanks



This thread was automatically locked due to age.
  • 0

    I was about to start a thread on the same subject.

    I like Luk run MACs at home most of the time, occasionally a W10 on VM or physical machine, but not everyday. Also trying to understand how my MAC is the source of the attacks in other reports, not necessarily the DNS issue.

    My IPS issues are with the DNS. I receive everyday the same IPS attack warning in the daily reports.

    Currently I have access to two ISPs and swap the connections between the UTM and the XG. The UTM does not report the DNS issue, so either the XG IPS is wrong or the XG DNS is configured incorrectly.

    Extract from the XG during today.

    Just to be a further pain, the dashboard and the display figures are totally different. Dashboard about 300, display about 900.

  • 0

    Hi Luk,

    What is the pattern version for IPS? For me, the latest version stands at v3.13.34. Please show us a picture from Log Viewer | IPS.

    Thanks

  • 0 in reply to sachingurung

    I am on the same version as you are.

  • 0 in reply to sachingurung

    Thanks Sachin. Same version as yours.

    We are still waiting for an official link where to find all IPS rules, what each patter detects and what is the remediation for that signature (apply an OS patch on the affected machine, update an application).

    THIS IS MANDATORY.

  • 0 in reply to lferrara

    Did you see those catch in the Log Viewer section?  

    I suggest, raise it to support and ask them to submit the false positives to the Threat research team. Even the Sophos L1 can do that and requires no escalation. The threat team shall investigate and make the necessary changes. 

     can you please post the mismatch in the reporting part separately, that issue relates to the reporting and database issue. For the false positive I would request you to get it reported via support.

    Thanks

  • 0 in reply to sachingurung

     

    here the IPS signature:

    3.13.41 running on XG 16.05 MR3.

    Even yestarday 2 IPS attacks. See the screenshots

    Regards

  • 0

     

    I had over 16K logged over Sunday [as shown above 9th Apr], and at least twice of that figure on typical workdays.

    Happen ever since v16 upgrade.  

    Any suggestion where to poke .

     

    XG210  Appliance

    Current:  Firmware SFOS 16.05.3 MR-3,  and Patterns-IPS 3.13.41