Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 8 replies
  • Subscribers 0 subscribers
  • Views 1386 views
  • Users 0 members are here
Options
Suggested

[8.165][BUG][FIXED] Intrusion Prevention Alert emails no info

PaulHolt
Hi,

If I remember correctly the email used to have source and destination information, see below.

BTW, I'm getting tons of CRIT-852 IPS email notifications..... haven't seen this many ever... 57 in less than 3 hours.  I'll keep an eye on this issue and report it separately if I need to.

Paul


Details about the intrusion alert:

Message........: WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt
Details........: Snort ::
Time...........: 2011:05:31-14:34:55
Packet dropped.: yes
Priority.......: 1high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)

Source IP address: $SRC_IP $SRC_HOST
www.dnsstuff.com/.../ptr.ch
www.ripe.net/.../whois
ws.arin.net/.../whois.pl
cgi.apnic.net/.../whois.pl
$SRC_PORT
Destination IP address: $DST_IP $DST_HOST
www.dnsstuff.com/.../ptr.ch
www.ripe.net/.../whois
ws.arin.net/.../whois.pl
cgi.apnic.net/.../whois.pl
$DST_PORT
Parents Reply Children
  • 0 in reply to kbr
    Have the same problem. Also the uptime is showing as 0 on mine[;)]
    Message........: WEB-CLIENT Web-client IFRAME src javascript code execution
    Details........: Snort ::
    Time...........: 2011:05:31-14:09:48
    Packet dropped.: no
    Priority.......: 1high
    Classification.: Attempted User Privilege Gain IP protocol....: 6 (TCP)

    Source IP address: $SRC_IP $SRC_HOST
    - http://www.dnsstuff.com/tools/ptr.ch?ip=$SRC_IP
    - http://www.ripe.net/perl/whois?query=$SRC_IP
    - http://ws.arin.net/cgi-bin/whois.pl?queryinput=$SRC_IP
    - http://cgi.apnic.net/apnic-bin/whois.pl?search=$SRC_IP
    $SRC_PORT
    Destination IP address: $DST_IP $DST_HOST
    - http://www.dnsstuff.com/tools/ptr.ch?ip=$DST_IP
    - http://www.ripe.net/perl/whois?query=$DST_IP
    - http://ws.arin.net/cgi-bin/whois.pl?queryinput=$DST_IP
    - http://cgi.apnic.net/apnic-bin/whois.pl?search=$DST_IP
    $DST_PORT
            
    -- 
    System Uptime      : 0 days 0 hours 0 minutes
    System Load        : 0.18
    System Version     : Astaro Security Gateway 8.165

  • 0 in reply to Billybob
    Have the exact same problem, started just now, two emails so far
Unfiltered HTML