Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 8 replies
  • Subscribers 0 subscribers
  • Views 1386 views
  • Users 0 members are here
Options
Suggested

[8.165][BUG][FIXED] Intrusion Prevention Alert emails no info

PaulHolt
Hi,

If I remember correctly the email used to have source and destination information, see below.

BTW, I'm getting tons of CRIT-852 IPS email notifications..... haven't seen this many ever... 57 in less than 3 hours.  I'll keep an eye on this issue and report it separately if I need to.

Paul


Details about the intrusion alert:

Message........: WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt
Details........: Snort ::
Time...........: 2011:05:31-14:34:55
Packet dropped.: yes
Priority.......: 1high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)

Source IP address: $SRC_IP $SRC_HOST
www.dnsstuff.com/.../ptr.ch
www.ripe.net/.../whois
ws.arin.net/.../whois.pl
cgi.apnic.net/.../whois.pl
$SRC_PORT
Destination IP address: $DST_IP $DST_HOST
www.dnsstuff.com/.../ptr.ch
www.ripe.net/.../whois
ws.arin.net/.../whois.pl
cgi.apnic.net/.../whois.pl
$DST_PORT
Parents Reply Children
  • 0 in reply to wingman
    Kai Could you also add that we don't get the relevant entries on the executive report as well. I had a port scan and the few other detections but they don't appear on the executive report

    Interesting... Only thing that I have noticed beside the obvious bug is that the uptime is counted in hours only. Minutes are always 0. However I do get the alerts atleast in the automatically generated daily executive report.
Unfiltered HTML