Here is one that claims I downloaded a scrensaver from Sophos. I only downloaded the ISO and one update. Maybe a pattern or two...
https://www.threatcrowd.org/ip.php?ip=208.111.171.148
This one is FROM the internal IP of my UTM.
I suspect this is also a false positive. I will check it out tomorrow with some threat intel feeds and tools we have at work.
Is there anyway to view the packets or the actual triggers of these events?
I am looking into building a Security Onion box for this, but that has not happened yet.
Is there anyway to tweak the rules, other then turning off the IPS or a rule.
Are we ever going to be able to add/create rules for the IPS - or add other feeds?
Thanks,
C68
This thread was automatically locked due to age.
