HIDS 18162

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

18162

Status

Active rule currently published.

Description

This rule is detects that the are MULTIPLE Windows Filtering Platform blocked a packet. This event logs all the particulars about a blocked packet, including the filter that caused the block.

Application Information: Process ID: process ID specified when the executable started as logged in 4688 Application Name: the program executable on this computer's side of the packet transmission

Examples of this alert from the Windows Endpoint

Examples of 5152 The Windows Filtering Platform blocked a packet.

Application Information:

  Process ID:  1132
  Application Name: \device\harddiskvolume1\windows\system32     \svchost.exe

Network Information:

  Direction:  Inbound
  Source Address:  224.0.0.252
  Source Port:  5355
  Destination Address: 10.42.42.213
  Destination Port:  56253
  Protocol:  17

Filter Information:

  Filter Run-Time ID: 0
  Layer Name:  Receive/Accept
  Layer Run-Time ID: 44

False Positives

There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.

If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.


Tuning Recommendations

If you do not wish to monitor the file or directory reported as changed, log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.

Similar Rules

Rule 18161: Windows Filtering Platform has blocked a connection

Knowledge Base Articles

None.

Outside References

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5152

Personal tools