Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 30 subscribers
  • Views 23346 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS - Some signature are false positive

lferrara

Hi There,

after some days, I would like to share some strange things with XG IPS module.

See the screenshot:

I have MAC at home so the first 2 signature cannot be applied.

First Signature CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7279

Second Signature:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0301

Both attacks come from MAC computer IP.

Any idea?

Thanks



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to sachingurung

    Thanks Sachin. Same version as yours.

    We are still waiting for an official link where to find all IPS rules, what each patter detects and what is the remediation for that signature (apply an OS patch on the affected machine, update an application).

    THIS IS MANDATORY.

Children
  • 0 in reply to lferrara

    Did you see those catch in the Log Viewer section?  

    I suggest, raise it to support and ask them to submit the false positives to the Threat research team. Even the Sophos L1 can do that and requires no escalation. The threat team shall investigate and make the necessary changes. 

     can you please post the mismatch in the reporting part separately, that issue relates to the reporting and database issue. For the false positive I would request you to get it reported via support.

    Thanks

  • 0 in reply to sachingurung

     

    here the IPS signature:

    3.13.41 running on XG 16.05 MR3.

    Even yestarday 2 IPS attacks. See the screenshots

    Regards