Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 1355 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Constant alerts from IPS since 3 weeks

tomtomtom
Hi everyone,

since three weeks we get every day many alerts from the IPS with the same reason:


An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: SPECIFIC-THREATS Microsoft SPNEGO ASN.1 library heap corruption overflow attempt
Details........: Snort ::
Time...........: 2011:02:04-09:43:43
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Attempted Administrator Privilege Gain
IP protocol....: 6 (TCP)

Source IP address: 84.108.95.224 (bzq-84-108-95-224.cablep.bezeqint.net)
Where are my results?
Query the RIPE Database
http://ws.arin.net/cgi-bin/whois.pl?queryinput=84.108.95.224
APNIC - Query the APNIC Whois Database
Source port: 45954


Why only one type of intrusion and why did it start three weeks ago? It is an very old issue from 2004 and Microsoft already patched this years ago.


This thread was automatically locked due to age.
Parents
  • 0
    Hi, if you're sure your machines are patched, you can disable that rule (#12905) by creating an exception in Intrusion Prevention - Advanced.

    Barry
  • 0 in reply to BarryG
    Someone has got a scanner running trying to exploit systems... I see these at several customer sites all the time now.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    I too have been noticing these attacks,  I have received 47 'pings' of it since feb 3rd.

    Aside from blocking the IPs of the compromised systems, is there anything that can be done to resolve the issue? such as groups to report offending IPs to?

    OR Is there a way to block the "alert" portion of this Prevention but retain the drop action?
Reply
  • 0 in reply to BrucekConvergent
    I too have been noticing these attacks,  I have received 47 'pings' of it since feb 3rd.

    Aside from blocking the IPs of the compromised systems, is there anything that can be done to resolve the issue? such as groups to report offending IPs to?

    OR Is there a way to block the "alert" portion of this Prevention but retain the drop action?
Children
No Data
Cookie Information Banner