This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS warning - meaning?

I have tow of these alerts in my logs.

It is my Vista laptop going out to an external IP.

"WEB-CLIENT Microsoft SYmbolic LinK file download request"

All I got from google was the snort rules. Anyone have a clue what exactly this means my laptop was doing?

Thanks,

C68

This thread was automatically locked due to age.

Parents

0 Coder68 over 15 years ago

SnortID.com - Search for SNORT ID's - Snort is a registered trademark of Sourcefire, Inc

I searched on the ID field...

This is an internal IP going to a remote IP...

2010:04:29-20:03:07 ************ snort[3981]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CLIENT Microsoft SYmbolic LinK file download request" group="320" srcip="***.***.***.46" dstip="38.117.98.196" proto="6" srcport="1922" dstport="80" sid="13583" class="Misc activity" priority="3" generator="1" msgid="0"

That PC is fully patched... Windows and all third party software (Secunia PSI checks it weekly). It runs a full Internet Security suite including firewall, AV and HIPS. We only surf using Sandboxie... and Firefox.

I can't see that box being infected...so I am not sure what is going on. I will watch some traffic in Wireshark and see what I see.

Thanks for the tip!

C68
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Coder68 over 15 years ago

SnortID.com - Search for SNORT ID's - Snort is a registered trademark of Sourcefire, Inc

I searched on the ID field...

This is an internal IP going to a remote IP...

2010:04:29-20:03:07 ************ snort[3981]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="WEB-CLIENT Microsoft SYmbolic LinK file download request" group="320" srcip="***.***.***.46" dstip="38.117.98.196" proto="6" srcport="1922" dstport="80" sid="13583" class="Misc activity" priority="3" generator="1" msgid="0"

That PC is fully patched... Windows and all third party software (Secunia PSI checks it weekly). It runs a full Internet Security suite including firewall, AV and HIPS. We only surf using Sandboxie... and Firefox.

I can't see that box being infected...so I am not sure what is going on. I will watch some traffic in Wireshark and see what I see.

Thanks for the tip!

C68
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Coder68 over 15 years ago in reply to Coder68

I looked up the incorrect SID before... this is the correct one.
SnortID.com - Search for SNORT ID's - Snort is a registered trademark of Sourcefire, Inc

It appears to be related to my AV updates. It is causing them to take way longer to download then normal. (A lot of retransmissions.) It is not an attack on Office as the link above suggests. At least, I do not see how it can be, as the vulnerable version is not on that PC.

I am not sure how to stop this alert from happening other then to turn off the rule for outgoing packets. (Not sure how to turn a single rule or which rule to turn the group off - not that I want to turn off the group.)

Any thoughts?

Thanks,

C68
Cancel
Vote Up 0 Vote Down

Cancel
0 Coder68 over 15 years ago in reply to Coder68

It appears that stopping and restarting the IPS engine has solved the issue.

Thanks,

C68
Cancel
Vote Up 0 Vote Down

Cancel