Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 17220 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to get details on 2 attacks blocked : rule 32488

1RegularJoe

Hi,

I had 2 attacks blocked, it is a bummer that I can't drill down on the actual text, but I found more detail in the "Network Protection" menu under "IPS: Top Blocked Attacks"

I can figure out the host inside that tried to send the packet out

I can figure out the two hosts that my internal machine tried to talk to

I can see the rule.

I cannot see:

1) the captured packet of what the payload was

2) I cannot see the time this event took place

3) I cannot see what the definition of the rule is to find out if this is a false positive.

Thanks,

Joe



This thread was automatically locked due to age.
  • 0

    1) This is not possible, unless your were running a TCPDump when the packet came in.  UTM IPS (Snort) doesn't capture, it passes or drops the packets.

    2) Check the Intrusion Prevention System log. It'll be in there.  The information from reporting, like top 10's or pretty graphs, is fine for at a glance information, but for details you always need to check the raw logs.

    3) Sophos does not create it's own rules. It uses freely available Snort rulesets. Get the rule ID (SID) from the applicable log lines. Once you have this, goto http://www.astaro.com/lists/. Grab the latest ASGV9-IPS-rules file (available in HTML or XML), find the rule ID. There you'll get links to more information.  Sometimes a rule isn't in there, in that case, or for additional information, Google the Snort rule ID.

    Doing a two second search, I found https://www.snort.org/search?query=32488.  In this case, there really aren't many details.  If this happens, you could try downloading rules from snort, where you can take a look in them to find the exact pattern it's looking for. 

    If you determine that this is a false positive for your environment, you can create a rule modification to disable it at Network Protection > Intrusion Prevention > Advanced.

  • 0 in reply to Scott_Klassen
    Scott,

    The rule may be a false positive or akamai may have a few internal hosts infected and spewing out malware. It would be bad for a CDN to have a malware infestation, but they do run some windows and as I recall in negotiations with MS to run in Azure. Personally they should be imitating Google and doing all containers for objects that have the same security profile and risk.

    Thanks for the pointers and tips, I feel like a newbie again but so far things look good. HTTPS inspection is a BIG deal as I feel that is the #1 threat to any network, the easiest attack vector to get in and get on a windows machine.

    The landscape is changing even for Sophos, users in Chattanooga getting 10gig fiber means the IPS/IDS will be very busy and I know those home users are not going to pay for 10gig a second filtering with a BIG security appliance.

    Thanks,
    Joe
  • 0

    Very busy indeed. Those users who are using UTM will need extremely beefy hardware for those speeds. One of the big drawbacks with Snort for IPS is that it is single-threaded currently, which can create significant latency if the processing queue gets backup up.