Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 3754 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Wrong Action

Siarom
Why the action is being ALERT when the policy is set to DROP?
This means that the IPS is only monitoring?

2015:06:11-19:49:21 utm120-sec303 snort[5018]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt" group="241" srcip="200.194.96.34" dstip="10.31.45.99" proto="17" srcport="53" dstport="41921" sid="19187" class="Attempted User Privilege Gain" priority="1" generator="3" msgid="0"
2015:06:11-19:49:21 utm120-sec303 snort[5018]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt" group="241" srcip="200.194.96.34" dstip="10.31.45.99" proto="17" srcport="53" dstport="55625" sid="19187" class="Attempted User Privilege Gain" priority="1" generator="3" msgid="0"
2015:06:11-19:50:21 utm120-sec303 snort[5018]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="SERVER-WEBAPP Wordpress timthumb.php theme remote file include attack attempt" group="217" srcip="66.220.158.112" dstip="10.31.45.212" proto="6" srcport="65005" dstport="80" sid="19653" class="Web Application Attack" priority="1" generator="1" msgid="0"
2015:06:11-19:50:21 utm120-sec303 snort[5018]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="SERVER-WEBAPP Wordpress timthumb.php theme remote file include attack attempt" group="217" srcip="66.220.158.113" dstip="10.31.45.212" proto="6" srcport="10746" dstport="80" sid="19653" class="Web Application Attack" priority="1" generator="1" msgid="0"
2015:06:11-19:54:22 utm120-sec303 snort[5018]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt" group="213" srcip="54.151.42.39" dstip="10.31.45.212" proto="6" srcport="35203" dstport="80" sid="24379" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
2015:06:11-19:54:22 utm120-sec303 snort[5018]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt" group="213" srcip="54.151.42.39" dstip="10.31.45.212" proto="6" srcport="35276" dstport="80" sid="24379" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0" 


This thread was automatically locked due to age.
Parents
  • 0
    The extra-warnings option was enabled ... understand that this option can generate more false positives, however, the true-positive should continue ... all alerts were in "alert".

    I believe this can be a mistake ..
Reply
  • 0
    The extra-warnings option was enabled ... understand that this option can generate more false positives, however, the true-positive should continue ... all alerts were in "alert".

    I believe this can be a mistake ..
Children
No Data