IPS convicted network traffic on Endpoint

I need a solution

Hi,

EDR detected below event

Type: IPS convicted network traffic on Endpoint. 

Description: Intrusion prevention submission. Signature ID: System Infected: Miner[.]BitcoinMiner Activity 9

What is the next step? Scanning the PC does not show anything.

Thanks to help!

0

Related:

Advisory: Sophos UTM – Latest IPS pattern update triggering Sensitive Data Rules

Sophos is currently investigating customer reports of SENSITIVE-DATA IPS alerts after the latest IPS pattern update.

Applies to the following Sophos product(s) and version(s)

Sophos UTM

Traffic containing sensitive data being sent over plain text SMTP, HTTP, FTP-Data, IMAP, or POP3 may be incorrectly blocked by Intrusion Prevention.

The following alert message may be triggered:

An intrusion has been detected. The packet has been dropped automatically.

You can toggle this rule between “drop” and “alert only” in WebAdmin.

Details about the intrusion alert:

Message……..: SENSITIVE-DATA Email Addresses

Details……..: https://www.snort.org/search?query=5

Time………..: 2019-xxxxxx

Packet dropped.: yes

Priority…….: mediumClassification.: Sensitive Data was Transmitted Across the Network IP protocol….: 6 (TCP)

Source IP address: x.x.x.x

Source port: <port number>

Destination IP address: y.y.y.y

The following logs can also be seen in the Intrusion Prevention logs:

2019:05:29-14:04:07 xxxxxx snort[16760]: severity=”warn” sys=”SecureNet” sub=”ips” name=”Intrusion protection alert” action=”drop” reason=”SENSITIVE-DATA Email Addresses” group=”500″ srcip=”x.x.x.x” dstip=”y.y.y.y” proto=”6″ srcport=”63042″ dstport=”25″ sid=”5″ priority=”2″ generator=”138″ msgid=”0″

The following reasons can be seen:

  • SENSITIVE-DATA Credit Card Numbers
  • SENSITIVE-DATA U.S. Social Security Numbers (with dashes)
  • SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)
  • SENSITIVE-DATA U.S. Phone Numbers
  • SENSITIVE-DATA Email Addresses

Dev had rolled back IPSBundle to the previous pattern (IPSBundle 9.199).Once the UTM picks up the new pattern (within 15 mins) it should not encounter this issue anymore.The “fixed” pattern version is 9-201.

To verify that the UTM has the correct ipsbundle2 version:

# rpm -qa | grep ipsbundle2

u2d-ipsbundle2-9-201

To determine if you are affected:

  1. Verify the version of ipsbundle being used.
  2. From the shell of the UTM as root, run the following command to verify if the affected IPS bundle has been installed (u2d-ipsbundle2-9-200)
    • rpm -qa | grep ipsbundle

For any time-sensitive data being dropped, the workaround below can be implemented to temporarily allow affected traffic.

Option 1 – Disable the affected rule completely:

  • Navigate to Network Protection > Intrusion Prevention > Advanced > Modified Rules
  • Click the “+” add button and enter in rule number “2
  • Select Disable this rule

  • Click Save and then Apply at the bottom

Option 2 – Bypass (all) IPS for a specific source/destination:

  • Under Network Protection > Intrusion Prevention > Exceptions > New Exception List…
  • Configure an exception list to skip Intrusion Prevention
  • Define the respective hosts and/or destination under “For all requests
  • Click Save and then Enable the created exception.

This article will be updated when more information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Resolved Advisory: Sophos UTM – Latest IPS pattern update triggering Sensitive Data Rules

Sophos is currently investigating customer reports of SENSITIVE-DATA IPS alerts after the latest IPS pattern update.

Applies to the following Sophos product(s) and version(s)

Sophos UTM

Traffic containing sensitive data being sent over plain text SMTP, HTTP, FTP-Data, IMAP, or POP3 may be incorrectly blocked by Intrusion Prevention.

The following alert message may be triggered:

An intrusion has been detected. The packet has been dropped automatically.

You can toggle this rule between “drop” and “alert only” in WebAdmin.

Details about the intrusion alert:

Message……..: SENSITIVE-DATA Email Addresses

Details……..: https://www.snort.org/search?query=5

Time………..: 2019-xxxxxx

Packet dropped.: yes

Priority…….: mediumClassification.: Sensitive Data was Transmitted Across the Network IP protocol….: 6 (TCP)

Source IP address: x.x.x.x

Source port: <port number>

Destination IP address: y.y.y.y

The following logs can also be seen in the Intrusion Prevention logs:

2019:05:29-14:04:07 xxxxxx snort[16760]: severity=”warn” sys=”SecureNet” sub=”ips” name=”Intrusion protection alert” action=”drop” reason=”SENSITIVE-DATA Email Addresses” group=”500″ srcip=”x.x.x.x” dstip=”y.y.y.y” proto=”6″ srcport=”63042″ dstport=”25″ sid=”5″ priority=”2″ generator=”138″ msgid=”0″

The following reasons can be seen:

  • SENSITIVE-DATA Credit Card Numbers
  • SENSITIVE-DATA U.S. Social Security Numbers (with dashes)
  • SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)
  • SENSITIVE-DATA U.S. Phone Numbers
  • SENSITIVE-DATA Email Addresses

Update 5-30-2019

Sophos has rolled back the IPSBundle to the previous pattern (IPSBundle 9.199). The fixed pattern version is 9-201.

Users should verify that their UTM has updated to this new pattern.

To verify that the UTM has the correct ipsbundle2 version:

  • rpm -qa | grep ipsbundle2

    u2d-ipsbundle2-9-201

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

SEP 15 – System Status = Comprimised…. but no way to resolve

I need a solution

Here are the Device Protection Details

  • Product Version
    • 14.2.2486.1000
  • Device Security Status
    • Compromised
  • Device Security Status Reason
    • Outgoing threats detected (Intrusion Prevention)

I am using the SEP 15 Cloud Manager (https://sep.securitycloud.symantec.com)

We have a device that inddicates a status of COMPRIMISED. However there we can find no way to resolve the issue. 

THe logs indicate a bunch of BLOCKED Network Intrusion Prevention Alerts.

One we see that is outbound “Web Attack: Masscan Scanner Request”… It shows as blocked also

The machine itself seems fine when we log into it a look at the Symantec Endpoint Protection manager.

Is there anything we can do to get the status back to SECURE.

Thanks

Charles

0

Related:

SEP 14 & VMWare Workstation 15 Player

I need a solution

I am using SEP 14.2 build 1031 on Windows 10 Pro 1809 build 17763.292 and VM Workstation 15 Player.

I have found that if I install the Network Intrusion Prevention / Firewall components of SEP that it inherently blocks incoming network access to any virtual machines.  I could see this if I used NAT configuration for the VM but I am using Bridged, which means that as far as the network and host machine are concerned this should behave like it’s own entity.

I have Googled the problem and the closest solution I have found is essentially put an allow all rule in the Symantec firewall, which seems to defeat the purpose entirely.  How do I configure SEP allow traffic into and out of a VM without haivng to effectively turn off the firewall on host machine?

0

Related:

Intrusion Prevention Signature Failures

I need a solution

We have a SEPM 14 installed on our own on-site Windows Server 2008 R2. We have 10 client computers running Win7 Pro or Win10 Pro. A few days ago I installed SEP 14.0.3752 on three Win10 Pro machines. I then read the SEPM communication file into the SEP on each machine, and it all worked well. I also saw that LiveUpdate ran on each machine to update the virus definitions. However, in SEP there is now an error on all three of these machines: Intrusion Prevention Signature Failures.

First – what does this error mean? What sort of signature are we talking about here?

And how do I fix this? I have read this post https://www.symantec.com/connect/forums/intrusion-… and have mostly tried the suggestons here, without getting any further.

Grateful for any insights.

See 2 attached images – screenshots from SEPM.

0

Related: