Menu
What's new
By:
Filters Better Search

Trend Micro Two Way IPS Hits

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Just an update from my site.
I also have those IPS events in my router.
User no-ip DDNS.
Using the OpenVPN client in the router to connect the "most" deviced (Policy based routing) to a few VPN provider. Changing the provider I'm connected to from time to time.
 
Hello All, I checked my router today and noticed a bunch of what seem to be attacks. Maybe just a coincidence: I set up my asus DDNS on the 19th, but the attacks seem to start on the 13th.
router capture.jpg

Does it appear that I've been penetrated? Should I be worried?...(lol, never said that before)
I'm on a 87U 384.4_2

thanks-

also: in my haste, I turn off the routers accessibility via the WAN and did not set it back to http. And of course I can no longer log in. Is a hard reset my only option?
 
Last edited:
also: in my haste, I turn off the routers accessibility via the WAN and did not set it back to http. And of course I can no longer log in. Is a hard reset my only option?
Click to expand...

From the LAN side you should be able to open https://x.x.x.x:port

x.x.x.x is the IP of the router in the LAN


if browser displays something about the certificate being insecure just ignore it and proceed to site
 
@Edgar Fabela Thanks-
Just needed to allow the HTTPS exception in the browser.
Does closing the WAN port to outside access mean no unsolicited access can get through? Or is it a moot point if I'm using the DDNS cert?

I was thinking, since all the attacks seem to be coming from the same few IPs, that I could blacklist any incoming traffic to the router from those IPs. Would this help? And what is the best way to do this?

Also, When an attack is logged on that TM page, does it mean it was successful or probably just a botnet probing my IP range?

Thanks again
 
I have a Western Digital MyBookLive connected to my network that is accessible from the internet (which I now closed) for access to our stuff away from home.

I've been getting hits to it from the outside. Normally these are labeled as "External Attacks" but this last time it was labeled as "Client Device Infected". Not sure what's going on. When I go to the "Infected devices" list in AIprotection, it shows none. Any ideas?

Capture.PNG
 
Was going to start my own post but saw this, I've been getting "WEB Cross-site Scripting -36" hits (attached pic) occasionally which the source is my wife's phone on the LAN, destination being her device...

should mention her phone has yet to have an available root solution, is on Nougat and she uses Google Chrome browser.

I don't seem to trigger this with my rooted S7 but I use mostly FF browser with HTTPS Everywhere, NoScript etc. would these necessarily help with this on her phone?
 

Attachments

  • WEB Cross-site Scripting -36.png
    WEB Cross-site Scripting -36.png
    17.4 KB · Views: 596
Does anyone know exactly how the Two-way IPS/AiProtection works? I cannot find any detailed/technical information anywhere...

I keep getting a few of these "High Severity Level" hits each day (luckily, no attacks seem to be successful).

How on earth can these attacks even hit me -- my home network is protected by an Asus RT68AC router which has NO ports forwarded. It does however have an OpenVPN server running. The ONLY way of accessing the router remotely is by connecting via this OpenVPN server.

From the log below, I can see that external IP numbers try to connect to my IP. But since I do not have a single port open, and no services (such as Telnet, SSH) running, how can the external attacker even attack me?..

How is this even possible?...
upload_2018-5-30_23-35-21.png
 
Just random systems on the Internet doing port scanning in an attempt to locate vulnerable devices. It's unrelated to how you configure your router. So basically they are knocking at the door, and the door stays closed since the port isn't open.
 
Has anyone ever got an alert that is not high level? Why even bother having levels if everything is always high!
 
I have always had 0 hits on my AC86U, while family members with AC56U and AC68U have several hits.

To be sure I just performed a factory reset and set up my router from scratch. How often do attacks occur? (When can I expect the first?)
 
akb said:
Has anyone ever got an alert that is not high level? Why even bother having levels if everything is always high!
Click to expand...

Lol, I didn't notice there was a legend. I think all their home use stuff is set to high.

XIII said:
I have always had 0 hits on my AC86U, while family members with AC56U and AC68U have several hits.

To be sure I just performed a factory reset and set up my router from scratch. How often do attacks occur? (When can I expect the first?)
Click to expand...

Is your device NAT'ed and not facing a publicly accessible IP?

Also last nights alerts:

https://www.abuseipdb.com/check/209.141.42.3

all three attempts within 3 hours of the previous
 
Still 0 hits.

My router is behind the ISP’s modem/router, which they have set in bridge mode on my request (it’s acting as a modem only now; no router functionality).
 
You must log in or register to reply here.

Similar threads

J
TWO WAY IPS AIPROTECTION - Whitelist ?
Replies
4
Views
659
jmbinette
J
U
Detection of iPhone Infection
Replies
9
Views
695
User2896
U
D
Solved Skynet Blocked Devices Question
Replies
2
Views
1K
DJones
D
P
Is there a way to suppress a specific message from syslog?
Replies
0
Views
141
pseu_asus
P
bluzfanmr1
Huge Increase In Firewall Drops
Replies
11
Views
2K
Tech Junky
T

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 955 (members: 16, guests: 939)
Top