This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attempted to download VPN cert from phone... UTM thinks its a trojan?

So this morning while my wife was in surgery, I decided to download the .ovpn file from the User Portal. After logging in with my credentials while on my Android phone via browser, I clicked on the install file to get the necessary file needed for the OpenVPN Connect client on my phone. It would never download sucessfully, and I tried again when I came home on the internal network, and downloading would still not download successfully.

I log into UTM, and noticed IPS:

2015:06:09-09:21:16 amodin snort[10175]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .pw dns query" group="241" srcip="172.18.0.12" dstip="172.18.0.1" proto="17" srcport="3211" dstport="53" sid="28039" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2015:06:09-09:21:26 amodin snort[10175]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .pw dns query" group="241" srcip="172.18.0.12" dstip="172.18.0.1" proto="17" srcport="17643" dstport="53" sid="28039" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2015:06:09-09:21:26 amodin snort[10175]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .pw dns query" group="241" srcip="172.18.0.12" dstip="172.18.0.1" proto="17" srcport="58492" dstport="53" sid="28039" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2015:06:09-09:21:36 amodin snort[10175]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .pw dns query" group="241" srcip="172.18.0.12" dstip="172.18.0.1" proto="17" srcport="13056" dstport="53" sid="28039" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2015:06:09-09:21:36 amodin snort[10175]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .pw dns query" group="241" srcip="172.18.0.12" dstip="172.18.0.1" proto="17" srcport="62690" dstport="53" sid="28039" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2015:06:09-09:21:46 amodin snort[10175]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .pw dns query" group="241" srcip="172.18.0.12" dstip="172.18.0.1" proto="17" srcport="25528" dstport="53" sid="28039" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

The UTM believed that this was a Network Trojan!

The false positives generated by Sophos for me has frankly gotten out of hand, and I get them more and more frequently with web browsing pages I have gone to a hundred times before. This is just another button pushed...

This thread was automatically locked due to age.

0 Scott_Klassen over 9 years ago

Time for more rule modifications.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel