Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 3102 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Constant WARN-852 E-mails

270797lb
Hi Guys/Girls,

Our Sophos software box with Network Protection License keeps sending

WARN-852 emails about 5-10 times a day. These are Intrusion Prevention Alert (Packet Dropped) e-mails.

Not sure why we are bombarded with these every day.

Thanks in advance.


This thread was automatically locked due to age.
  • 0
    Some messages mean that you haven't done a good job of limiting inbound traffic.  Some indicate that a device has an infection. Some are false alarms.  Try asking during work hours when you have the details at hand.

    Cheers - Bob
  • 0
    UTM uses open source Snort rules for IPS/IDS, nothing Sophos specific.  The emails should have a link for further information on the rule being triggered.  If not, you can get the Rule ID and name from the Intrusion Prevention Log and google for more information on the rule.
  • 0 
    2015:01:04-00:12:39 FSI-03-UTM snort[4120]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="92.72.35.53" dstip="172.16.1.1" proto="6" srcport="59237" dstport="8080" sid="31978" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"

    2015:01:04-00:54:59 FSI-03-UTM snort[4120]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="178.195.206.109" dstip="172.16.1.1" proto="6" srcport="48235" dstport="8080" sid="31978" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"

    2015:01:04-01:35:08 FSI-03-UTM snort[4120]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="195.1.174.38" dstip="172.16.1.1" proto="6" srcport="60578" dstport="8080" sid="31978" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"

    2015:01:04-01:48:03 FSI-03-UTM snort[4120]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="218.173.47.96" dstip="172.16.1.1" proto="6" srcport="42485" dstport="8080" sid="31978" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"

    2015:01:04-06:03:13 FSI-03-UTM snort[4120]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="59.120.4.112" dstip="172.16.1.1" proto="6" srcport="34152" dstport="8080" sid="31978" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"

    2015:01:04-06:08:39 FSI-03-UTM snort[4120]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="109.148.27.204" dstip="172.16.1.1" proto="6" srcport="61613" dstport="8080" sid="31978" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"

    2015:01:04-06:12:30 FSI-03-UTM snort[4120]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="77.60.93.30" dstip="172.16.1.1" proto="6" srcport="43390" dstport="8080" sid="31978" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"

    2015:01:04-06:15:12 FSI-03-UTM snort[4120]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="175.158.147.234" dstip="172.16.1.1" proto="6" srcport="43884" dstport="8080" sid="31978" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"

    2015:01:04-09:52:00 FSI-03-UTM snort[4120]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-OTHER Bash CGI environment variable injection attempt" group="218" srcip="196.22.196.1" dstip="172.16.1.1" proto="6" srcport="54987" dstport="8080" sid="31978" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"


    This is the IPS Event Log, it all goes to the same destination which is a web server.
  • 0
    Someone is attempting to exploit CVE-2014-7169 on your system.  It's an automated attack, just because they detected an open port.  IPS is blocking the attempts, so doing it's job.
  • 0 in reply to Scott_Klassen
    Someone is attempting to exploit CVE-2014-7169 on your system.  It's an automated attack, just because they detected an open port.  IPS is blocking the attempts, so doing it's job.


    Thats good! Is there anyway it can stop alerting me about this specific attack? As all the Directors and myself get bombarded with them about 5-10 times a day
  • 0
    Network Protection > Intrusion Prevention > Advanced

    Add a rule modification.  Rule ID is the SID from the logs and check Disable Notifications.