Any experience with an excessive number of ThunderVPN hits?

The issue is under review of Sophos Labs. 

Thank you.  There was a pattern update this AM to 18.18.58 but it didn't seem to address this.  Please keep us up to date.

I will see what I can capture. I see about 100 hits, but 288B of data (bytes) which makes capture difficult.

ian

I had a case open for this issue.  Support's answer was to have me create a workaround FW rule to allow NTP traffic at the top of the rule stack.  The tech led me to believe this was being worked on and to wait for a pattern update.  Not an acceptable answer, but eh, what else was I supposed to do?  So my case is closed now.

That said, I'd be happy to try and collect what you need, as I disabled that FW rule just now and no surprise I'm getting tons of blocks for Thunder VPN again on UDP/123.  

But, can you be a bit more specific on what to run and HOW to run the commands?  I tried the first command you mentioned above from CLI by SSH'ing into my FW, but the command doesn't run as you've got it typed.  The conntrak command doesn't seem to exist, as I recall when I tried it.  Glad to try and help if you can help me with more detail.

You need to perform both on the advanced Shell. Option 5 / 3. 

I've got a pcap file and the output from the conntrak command.  How can I get them to you?

You can send me a PM.

I have the same problem. Every day 2-3K blocked connections due to ThunderVPN but I don't have this software installed on any device. The connected devices are an iPhone. Please help.  

Hi folks,

there appears to be some progress on this issue, while still seeing thundervpn in the daily report and the GUI, I am also seeing NTP  as being reported correctly in the daily reports.

The daily reports usually take at least 24 hours to catchup. I will investigate further.

Ian

Let me know what you did differently, I'm not seeing any dramatic improvement.  When I used the App rule to block level 5 (which I do) I see tens of thousands of Thunder VPN (Port 123) block exceptions every day.    I'm at 18.18.60.  So much that it impairs a number of IoT devices that depend on this.  I had to put a Thunder VPN App allow rule in to stabilize my system.  Would be REALLY NICE to see Sophos fix this.   Thanks

Those pattern are created by Sophos Labs. Therefore it is currently under investigation. If you have a pcap (Packet capture) of this NTP traffic, feel free to submit this: support.sophos.com/.../filesubmission

Hi,

I spoke too soon, today's report shows thundervpn thundering along and ump 123 back to unclassified. The interesting thing about this is on  my system it only affects the apple devices. The NTP server has its own rule and that traffic is not classified as thundervpn. I suppose I could disabled the IPS on the internal rules to remove the incorrect reporting.

Ian

The really stupid thing is not all NTP traffic is classified as thundervpn.

Hi,

I spoke too soon, today's report shows thundervpn thundering along and ump 123 back to unclassified. The interesting thing about this is on  my system it only affects the apple devices. The NTP server has its own rule and that traffic is not classified as thundervpn. I suppose I could disabled the IPS on the internal rules to remove the incorrect reporting.

Ian

The really stupid thing is not all NTP traffic is classified as thundervpn.