An example alert;
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
Details........: https://www.snort.org/search?query=18196
Time...........: 2015-06-11 14:36:52
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain IP protocol....: 6 (TCP)
Source IP address: 207.123.57.107
Source port: 80 (http)
Destination IP address: 192.168.2.56
Destination port: 64728
--
HA Status : HA MASTER (node id: 1)
System Uptime : 58 days 20 hours 25 minutes
System Load : 0.21
System Version : Sophos UTM 9.310-11
Please refer to the manual for detailed instructions.
There have been a few different types of message, with various source IP's but only two PC's as the destination IP. All packets have been dropped.
The alert seems to be saying there was a bad response received from a web request, but I can't find any trace of requests being made to the source IP's on either Sophos logs or PC's. The PC users haven't reported ay errors or strangeness either.
Can anyone explain?
This thread was automatically locked due to age.
