Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lots of IPS attacks lately One CNC Trufflehunter cant find much info on it (False Positive?)

We have been getting a LOT of IPS attacks lately.  Getting Snort 38330 MALWARE-CNC TRUFFLEHUNTER SFVRT-1020 attack attempt from several internal IPs.  Snort doesnt give much information.... is there a good chance these hosts are infected?  Sophos Cloud AV finds nothing on them.

Also another host giving lots of Snort 3709 NDICATOR-OBFUSCATION known javascript packer detected.... Ive scanned that machine with just about everything in the sun and cannot find anything?  False positive?  

2016:05:12-11:40:46 ctw-fw snort[2462]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-OBFUSCATION known javascript packer detected" group="320" srcip="50.63.72.1" dstip="172.16.28.112" proto="6" srcport="80" dstport="57456" sid="37909" class="Misc activity" priority="3" generator="1" msgid="0"
2016:05:12-11:54:53 ctw-fw snort[2462]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC TRUFFLEHUNTER SFVRT-1020 attack attempt" group="500" srcip="172.16.1.127" dstip="216.58.194.36" proto="1" srcport="0" dstport="0" sid="38330" class="Misc activity" priority="3" generator="3" msgid="0"
2016:05:12-11:57:48 ctw-fw snort[2462]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC TRUFFLEHUNTER SFVRT-1020 attack attempt" group="500" srcip="172.16.1.127" dstip="216.58.218.206" proto="1" srcport="0" dstport="0" sid="38330" class="Misc activity" priority="3" generator="3" msgid="0"

IT also seems that these newer Rules are set up for WARN instead of block.  Should they be manually blocked and how to tell if it really is something to actually spend time hunting down?

Thanks!



This thread was automatically locked due to age.
  • Hi,

    2016:05:12-11:40:46 ctw-fw snort[2462]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-OBFUSCATION known javascript packer detected" group="320" srcip="50.63.72.1" dstip="172.16.28.112" proto="6" srcport="80" dstport="57456" sid="37909" class="Misc activity" priority="3" generator="1" msgid="0"

    IPS is dropping TCP proto coming from the requested website on port 80, which states that the transmitting web server might have some malicious stream of data which is prevented and dropped.

    2016:05:12-11:57:48 ctw-fw snort[2462]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC TRUFFLEHUNTER SFVRT-1020 attack attempt" group="500" srcip="172.16.1.127" dstip="216.58.218.206" proto="1" srcport="0" dstport="0" sid="38330" class="Misc activity" priority="3" generator="3" msgid="0"

    IPS is dropping ICMP protocol generated from source IP 172.16.1.127, request you to scan the source system through AntiVirus. 

    Please try our free tools for AntiVirus here.

    Thanks

  • Thanks for the reply...

    I have run Sophos AV both Cloud (which we have) and the MRT... and they didnt find anything but I'm like you... I think there is a bug on that computer that is attempting to be nasty.  And the ATP in the UTM has not sent any alerts either..... 

    Seems like the CNC alert, we have gotten quite a bit of ... this was just an example... but no AV is finding them.