Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 2 subscribers
  • Views 3337 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

four infected pc's, and no alarm from astaro IPS

mourik_jan
Hi all,

I'm wondering here. This week I have had infections on FOUR workstations, with the autorun-ATQ [Worm]. It communicated with it's botnet masters over port 8004.

But my question is: shouldn't these kinds of infections have generated alerts??


This thread was automatically locked due to age.
Parents
  • 0
    I was under the impression that the IPS module would scan outgoing traffic for patterns that identity certain worms/virusses/trojans, etc. So if this traffic is typical worm traffic (which I'm guessing it is) it should be detected AND blocked..? But it's neither detected nor blocked.

    I have an any rule, yes: I allow any traffic to outside (except specific stuff), and all replies in.

    I'm guessing I misunderstood how the IPS module works?
  • 0 in reply to mourik_jan
    You are right, there are some rules that scan outbound traffic; either there aren't any rules available for that particular Worm, or they aren't in the current ruleset that Astaro distributes... or yours was a variant that doesn't match up with the IPS patterns at all.  If this is a commercial installation, I recommend starting a case with Astaro support to investigate further.
Reply
  • 0 in reply to mourik_jan
    You are right, there are some rules that scan outbound traffic; either there aren't any rules available for that particular Worm, or they aren't in the current ruleset that Astaro distributes... or yours was a variant that doesn't match up with the IPS patterns at all.  If this is a commercial installation, I recommend starting a case with Astaro support to investigate further.
Children
No Data