we have an E-Mail-Gateway with a Build-In Kaspersky AV Engine. Yesterday evening the Astaro starts to send E-Mails with this text:
[asg.local][INFO-852] Intrusion Prevention Alert (Packet dropped)
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: FILE-IDENTIFY Microsoft Windows PIF shortcut file download request
Details........: www.snort.org/.../17043
Time...........: 2013:04:16-09:02:21
Packet dropped.: yes
Priority.......: low
Classification.: Misc activity
IP protocol....: 6 (TCP)
Source IP address: 192.168.***(localhost)
Source port: 51143
Destination IP address: 195.122.169.18
- www.dnsstuff.com/.../ptr.ch
- www.ripe.net/.../whois
- ws.arin.net/.../whois.pl
- cgi.apnic.net/.../whois.pl
Destination port: 80 (http)
After some research we figured out that our E-Mail-Gateway failed to get the Pattern Updates for the AV-Scanner. After disabling the AV-Scanner temporarily the IPS Alerts stops immediatly. The destination IPs points to the update-server from Kaspersky Labs.
Is it possible that there is a faulty ips pattern responsible for this?
This thread was automatically locked due to age.
