Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 3135 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS False Positive detection ?

Pipboy-2000

 Hi all,

Can someone look at the log and let me know if this is false positive? What makes me think so: 192.168.2.38 is an iPhone, 10.16.3.160, 10.16.4.22 are both MacBook Pro, 192.168.2.8 is Ubuntu, so none of the devices is actually Windows based?! 

 

2017:03:31-08:59:10 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="2.17.21.130" dstip="192.168.2.38" proto="6" srcport="80" dstport="63080" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:01:21 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="104.127.42.52" dstip="192.168.2.38" proto="6" srcport="80" dstport="63104" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:05:57 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="2.22.99.220" dstip="10.16.3.160" proto="6" srcport="80" dstport="61223" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:06:05 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="2.22.99.220" dstip="10.16.3.160" proto="6" srcport="80" dstport="61246" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:06:25 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="2.22.99.220" dstip="10.16.3.160" proto="6" srcport="80" dstport="61286" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:06:28 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="2.22.99.220" dstip="10.16.3.160" proto="6" srcport="80" dstport="61300" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:06:48 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="104.94.0.206" dstip="10.16.3.160" proto="6" srcport="80" dstport="61320" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:24:12 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="104.127.42.52" dstip="10.16.4.22" proto="6" srcport="80" dstport="62581" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

2017:03:31-09:48:31 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="92.122.182.137" dstip="192.168.2.8" proto="6" srcport="80" dstport="58956" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:48:51 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="92.122.182.137" dstip="192.168.2.8" proto="6" srcport="80" dstport="59216" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:48:51 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="92.122.182.137" dstip="192.168.2.8" proto="6" srcport="80" dstport="59220" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:48:51 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="92.122.182.137" dstip="192.168.2.8" proto="6" srcport="80" dstport="59218" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:48:51 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="92.122.182.137" dstip="192.168.2.8" proto="6" srcport="80" dstport="59222" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:48:52 apollo snort[5061]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt" group="110" srcip="92.122.182.137" dstip="192.168.2.8" proto="6" srcport="80" dstport="59224" sid="38483" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2017:03:31-09:58:34 apollo ulogd[4881]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth4" srcmac="9c:f3:87:a2:65:ac" dstmac="00:1a:8c:59:10:e6" srcip="10.16.3.203" dstip="216.58.204.14" proto="1" length="56" tos="0x00" prec="0x00" ttl="64" type="3" code="3"

 

Thanks,

E.



This thread was automatically locked due to age.
Parents
  • 0

    maybe a false positive... maybe not.

    possible there are data try to attack your browser if you use "edge".

    IPS don't know you don't use edge.

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0

    maybe a false positive... maybe not.

    possible there are data try to attack your browser if you use "edge".

    IPS don't know you don't use edge.

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
  • 0 in reply to dirkkotte

    Hi,

     

    I discovered this awhile ago. Most of them are all akamaiservers cacheservers (srcip) causing this I suspect its either a bug , akamai uses a strange trick or more unlikely all akamaiservers are infected ?

    Annoying as i would love to know the truth :)

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML