Hot!Intrusion Prevention

Author
patrickwilson82
Bronze Member
  • Total Posts : 38
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/03/01 13:55:27
  • Status: offline
2018/11/10 12:20:56 (permalink)
0

Intrusion Prevention

Every two and a half hours, I've been getting this email alert:
Message meets Alert condition
The following intrusion was observed: MS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption.
date=2018-11-10 time=13:13:37 devname=FGT01 devid=FG101E4Q17000329 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=critical srcip=93.33.221.101 srccountry="Italy" dstip=192.xxx.xxx.xx srcintf="wan1" dstintf="lan" policyid=4 sessionid=215818094 action=dropped proto=6 service="SMTP" attack="MS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption" srcport=41243 dstport=25 direction=outgoing attackid=44947 profile="protect_email_server" ref="http://www.fortinet.com/ids/VID44947" incidentserialno=201037466 msg="applications3: MS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption," crscore=50 crlevel=critical
 
I've added this IPS filter: MS Office RTF Memory Corruption. Default action= block
 
And set a policy to block this external IP.
Incoming interface: Wan1
Outgoing interface: Lan
Source: The external IP address from the message above.
Destination address: all
Service: all
Action: Deny
 
Is there anything else I need to do to stop this?.
 
 
post edited by patrickwilson82 - 2018/11/10 12:27:06
#1

2 Replies Related Threads

    patrickwilson82
    Bronze Member
    • Total Posts : 38
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/03/01 13:55:27
    • Status: offline
    Re: Intrusion Prevention 2018/11/12 11:37:00 (permalink)
    0
    Whatever it was seems to have stopped on it's own. Everything is quiet now, according to the logs.
    #2
    mdeepak
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/13 22:31:06
    • Status: offline
    Re: Intrusion Prevention 2019/02/13 23:21:41 (permalink)
    0
    I am facing similar issue every 10 -15 mins from last couple of days.
     
    The following intrusion was observed: MS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption.
    date=2019-02-14 time=12:42:54 devname=FG100D3G168325
    10 devid=FG100D3G16832510 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=critical srcip=103.241.181.28 srccountry="India" dstip=192.XXX.XXX.XXX srcintf="dmz" dstintf="lan" policyid=2 sessionid=69129443 action=dropped proto=6 service="POP3" attack="MS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption" srcport=110 dstport=57828 direction=incoming attackid=44947 profile="protect_http_server" ref="http://www.fortinet.com/ids/VID44947" incidentserialno=1088665343 msg="applications3: MS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption," crscore=50 crlevel=critical 
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5