Intrusion Attack - Server-Oracle all_table_access (Docker/Nextcloud)

Hi intrusus 

Based on log viewer snippet traffic is passing via rule id 12. Is it DNAT rule toward server with MASQ on? if yes you may try removing MASQ ,so that will help us to get the details of original source IP who is generating hints.  

There could be possibility of "False Positive" as well but on another side there may be any portion of request having some header which is getting match with this signature criteria then also IPS marking or detection may trigger. 

Based on attached PDF, it is triggered on TCP:8888, Please confirm with removing MASQ on rule, is it triggering the same signature on same port all the time from different source IP? 

If yes then if traffic is not high on TCP:8888 towards we required to capture PCAP along with IPS debug to narrow down it further.

Hi Vishal,

nope - no extra DNAT rule, "just WAF".
The web server is a docker host and publishes the Nextcloud container on 8888/TCP.

Maybe I should create an extra IPS policy for linux-server and leave Oracle-Server out?
Currently I'm just using the default WAN to DMZ IPS policy from Sophos.

Best regards

Hi Vishal,

nope - no extra DNAT rule, "just WAF".
The web server is a docker host and publishes the Nextcloud container on 8888/TCP.

Maybe I should create an extra IPS policy for linux-server and leave Oracle-Server out?
Currently I'm just using the default WAN to DMZ IPS policy from Sophos.

Best regards

Hi intrusus 

Thanks for more information. 

As it is WAF rule ( not the DNAT rule) ,When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the web application firewall (WAF) because the connection is made through the WAF. The client’s real IP address is available in the HTTP header.

docs.sophos.com/.../WebServerProtectionRule.html

Under “Description” of “Hosted address” above information has been documented. Due to this reason you are able to see XG firewall IP as in attacker IP.

Sure, you may give a try by creating an extra IPS policy for Linux-server and leave Oracle-Server out and you may check the issue status further.

If issue still present then capture PCAP on TCP port along with IPS debug to will be required.

Okay, I think I'm getting closer to the solution.
The IPS seems to recognize the upload of .exe files to the Nextcloud as "SERVER-OTHER Easy File Sharing Server remote code execution attempt" (SID 40382). At least the upload of .bin and .exe files is not possible, on the Nextcloud it is not obvious why. I will adjust the policy accordingly and see if the upload is possible again or if this was the cause.

Thanks for your help!

So here is the solution how I solved my IPS false/positive:

1. create a new IPS policy at PROTECT > Intrusion prevention > IPS policies with a click on "Add".
2. clone the settings of the previously used IPS policy into the just created IPS policy.
3. click on "Save".
4. search in the IPS logs for the SignatureID (SID) of the false/positive that occurred.
   
5. go back to the newly created IPS policy and add a new rule. For example, name "Exceptions". Now use the SID filter to select the ID that you checked out in step 4. Select the option "Allow Packet" in the action drop down field.
   
6. verify that the exception rule is above the other rules in the policy
   
7. activate the just created IPS policy in the corresponding firewall rule
   

I did the same with the Server_Oracle all_table_access error and now I have a working and smooth IPS on my XG. :)