I have been getting an alert from the IPS.
It is always from the 91.98.84.14 to only one of my hosts.
Today I ran ss and wireshark against the source IP. The wireshark is showing the connection coming from njna.horus-it.com. Their website says (translated from German)
Welcome to HORUS-IT Ralph Seichter. For more than 30 years, we have successfully provided qualified services in many disciplines of computer science.
Our main topics:
Firewalls
Spam and virus protection
cryptography
Software architecture and development
databases
Configuration management
Release management
If you need support, we are your reliable partner.
How do I determine if this is a false positive or a real threat?
I received the same alerts during a Microsoft Windows update.
I ended up disabling the rule ET SHELLCODE Common 0a0a0a0a Heap Spray String in emerging-shellcode.rules.
I have been getting a lot of these alerts on one of my firewalls. 100-200 per day for a couple of weeks now. Strangely, two other IPFires I manage have gotten zero of these even though the rule is enabled on all three. I leave it enabled “just in case” because it’s not hurting anything to do so. I am guessing if it is a rule misconfiguration, that eventually it will be fixed in a rule update and the alerts will stop on their own.
I just went back through my IPS Logs and it looks like these started on December 10th for me. On that day I got 5 of these alerts. The next day, 75, then progressively more each day where it’s usually over 300 per day now. I am curious if you can tell which day you started seeing these alerts. See if there is any correlation with when I started getting them.
Are you sure it’s