Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 5965 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

High rate of IPS alerts for "EXPLOIT-KIT Angler exploit kit news uri structure"

BarryG

Hi,

For the last month or two, I've been getting IPS alerts for

EXPLOIT-KIT Angler exploit kit news uri structure
https://www.snort.org/search?query=38439

everytime someone visits a certain site (backchina.com) as well as while I'm surfing misc sites.

Some of the hits are on Google and Akamai servers, which makes me think at least some are probably False Positives.

No one here uses IE, so I'm not sure I care about Angler.

Thoughts?



This thread was automatically locked due to age.
Parents

  • Hi,

    The best practice is to make sure the patterns in UTM are up2date. Until the IPS detects and drop the malicious signatures and if that is not causing trouble to the production, let's not simply conclude them as a false positives.

    Thanks

  • in reply to sachingurung

    Hi Sachin,

    IPS Pattern version is 106344 and the dashboard says it's up to date.

    The problem is that this pattern IS causing problems; it's blocking people from accessing web sites they want to read.

    I am not sure if the sites are actually hosting malware or not, but as GoogleUserContent and Akamai have been blocked recently by this rule, I tend to think those are probably not malware.

    I really wish the IPS would record the offending packet so it could be examined further. Note many other products can do this.

    Thanks,
    Barry

  • in reply to BarryG

    Hi Barry,

    Once the IPS patterns are up2date we can move forward to fine tune the IPS settings. Add only the internal network in the local network dialog box, avoid WAN or ANY. To increase the performance and minimize the amount of false positive alerts, you can specify your internal servers that are protected by the IPS in the Advance section for IPS configuration.

    It is also important to define the rule age correctly. Usually, I select a shorter time span and do not restrict IPS patterns for 12 months, which is set by default. Defining the rule age partially records the history of offending packet but do not have the feature to examine it further.

    Thanks

Reply
  • in reply to BarryG

    Hi Barry,

    Once the IPS patterns are up2date we can move forward to fine tune the IPS settings. Add only the internal network in the local network dialog box, avoid WAN or ANY. To increase the performance and minimize the amount of false positive alerts, you can specify your internal servers that are protected by the IPS in the Advance section for IPS configuration.

    It is also important to define the rule age correctly. Usually, I select a shorter time span and do not restrict IPS patterns for 12 months, which is set by default. Defining the rule age partially records the history of offending packet but do not have the feature to examine it further.

    Thanks

Children
  • in reply to sachingurung

    Hi Sachin,

    1. The Internal networks are already correctly configured in the IPS settings.

    2. Internal Servers are already specified. However, this is a browser exploit, not a server exploit.

    3. I have the Rule Aging set as I want it. I believe this rule is only about 2 months old.

    Thanks