IPS-IDS Logs
(OBJ 4.9)
IPS/IDS Log example question
Which of the following event IDs represents the biggest threat to your organization's enterprise network and should be investigated immediately by the organization's cybersecurity analysts?
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250725173420.png)
-
The right answer is actually gonna be one of the 'high' severity ones
- There are 6 different high severity alerts here
-
In this case because of the 'Blocking' action, we know this is an IPS, and not an IDS.
-
Which is the most dangerous for us?
- That is going to be the Data Exfiltration Detected at line 4130
-
Reviewing each 'high' severity event
- 4105 - SQL Injection Attack Detected
- A severe thing because people could try to attack our database through an SQL injection and then take our data out of it
- But this was actually Blocked by the IPS, so it is now really not a big deal. Not that dangerous
- 4110 - Buffer Overflow Attack Detected
- Again, the event was blocked by the IPS so the attacker wasn't successful in running that attempt
- 4115 - Anomalous Privilege Escalation Detected
- Means someone was able to go from a regular account into an administrative account or from a guest user to an authenticated user
- Again, it was blocked by the IPS so it will not affect our systems
- 4120 - External Brute Force Attack
- Again, it was blocked by the IPS so not too dangerous
- ...
- "Blocked attacks are not a major concern because defenses have stopped them"
- It is important to identify the sources of the blocked attacks
- Add something like blocking their IP address or some other preventive measures
- ...
- 4124 - Network Scan from Internal IP
- Not that big of a deal since the IPS marks it as 'Contained'
- The scan itself is not that dangerous
- 4130 - Data Exfiltration Detected
- It was an alert, not a block, and the admin was notified
- Now we need to take action on it
- 4105 - SQL Injection Attack Detected
-
Note: Echo requests (e.g. 3301 in the log) could create some network congestion, but it is not as critical as a data breach.
Remember
- Blocked
- Mitigated and no effect on the network
- Not alerted or monitored
- Bypassed the network security appliance and affected the network
- Investigate and figure out what they steal during that data exfiltration