We have been getting a LOT of IPS attacks lately. Getting Snort 38330 MALWARE-CNC TRUFFLEHUNTER SFVRT-1020 attack attempt from several internal IPs. Snort doesnt give much information.... is there a good chance these hosts are infected? Sophos Cloud AV finds nothing on them.
Also another host giving lots of Snort 3709 NDICATOR-OBFUSCATION known javascript packer detected.... Ive scanned that machine with just about everything in the sun and cannot find anything? False positive?
2016:05:12-11:40:46 ctw-fw snort[2462]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-OBFUSCATION known javascript packer detected" group="320" srcip="50.63.72.1" dstip="172.16.28.112" proto="6" srcport="80" dstport="57456" sid="37909" class="Misc activity" priority="3" generator="1" msgid="0"
2016:05:12-11:54:53 ctw-fw snort[2462]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC TRUFFLEHUNTER SFVRT-1020 attack attempt" group="500" srcip="172.16.1.127" dstip="216.58.194.36" proto="1" srcport="0" dstport="0" sid="38330" class="Misc activity" priority="3" generator="3" msgid="0"
2016:05:12-11:57:48 ctw-fw snort[2462]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC TRUFFLEHUNTER SFVRT-1020 attack attempt" group="500" srcip="172.16.1.127" dstip="216.58.218.206" proto="1" srcport="0" dstport="0" sid="38330" class="Misc activity" priority="3" generator="3" msgid="0"
IT also seems that these newer Rules are set up for WARN instead of block. Should they be manually blocked and how to tell if it really is something to actually spend time hunting down?
Thanks!
This thread was automatically locked due to age.