Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 28 subscribers
  • Views 1817 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sophostest.com - unable to test due to Sophos Scan exclusion recommendations

LHerzog

Hey, I cannot test our XG with the test site, you are providing: https://sophostest.com/

I've asked this once but forgot. Today I wanted to verify something but could'nt even find the request in the web filter log.

Of course, I could browse all the bad test sites.

This is because your test site is running on the same could servers, probably cloudfront.net, as you use for Sophos / Central services. And for those cloud servers (FQDN) there are http/https exceptions and the requests are not even scanned by webfilter.

Bad design for a (malware) test-site.

Can you please put the site on some stand-alone server so we can use it for testing the filters?

during my tests the site had the IP

13.225.87.17


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Prism

    I thought of that, but I think it will have bad impact on Central / Intercept-X communication.

    In the logs I can see that a lot of computers are communicating with the IPs belonging to sophostest.com

  • 0 in reply to LHerzog

    Then open a support case.

    But I don't think anything will change.

  • 0 in reply to Prism

    Where do you use sophostest.com as a recommend exclusion? Because basically you should not exclude this. And my tests always block this website. 

  • 0 in reply to LuCar Toni

    sophostest.com is not in the exclusion list.

    But in some FQDN of the recommended exclusion is also including the IPv4 of sophostest.com

  • 0 in reply to LuCar Toni
    LuCar Toni said:
    Where do you use sophostest.com as a recommend exclusion?

    nowhere. Browsing to this side goes into the firewall rule belonging to the Sophos Central Exceptions.

    btw: seems to run on some AWS site:

  • 0 in reply to LHerzog

    sophostest.com is external hosted to do not have any relation to Sophos. If you know a recommended read or anything, which recommend to exlcude this, then feel free to report this to get this removed. 

    Then again: Why do you have a firewall rule including sophostest.com? 

  • 0 in reply to LuCar Toni

    I'm not including this site.  catched my point.

    This rule matches only because the same IPv4 is used by sophostest.com and some other sophos stuff.

    one example:

    "

    during my tests the site had the IP

    13.225.87.17"

  • 0 in reply to LHerzog

    Do you have a output of the logviewer using this 13. IP? Because sophostest.com should not use a sophos known address. 

  • 0 in reply to LuCar Toni

    Firewall
        
    2021-08-06 14:33:50
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="181" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50446" dst_port="443" packets_sent="75" packets_received="192" bytes_sent="5013" bytes_received="247475" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="782242816" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 14:30:59
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50443" dst_port="443" packets_sent="64" packets_received="184" bytes_sent="4247" bytes_received="246441" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1143560768" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 14:30:58
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50440" dst_port="443" packets_sent="18" packets_received="18" bytes_sent="2283" bytes_received="7763" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1165648512" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 14:30:58
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50437" dst_port="443" packets_sent="7" packets_received="7" bytes_sent="809" bytes_received="5819" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="3963242688" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 14:30:53
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="10" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50432" dst_port="443" packets_sent="4" packets_received="2" bytes_sent="172" bytes_received="92" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="2024355136" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 14:10:42
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="17" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="othername@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="ccc.ccccc" in_display_interface="yyy-yyy" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="A0:66:10:09:A0:08" dst_mac="00:98:7A:5A:5D:86" src_ip="xxx.xxx.xxx.yyy" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="51019" dst_port="443" packets_sent="20" packets_received="65" bytes_sent="3117" bytes_received="70470" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1150146496" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 13:48:43
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="252" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="othername@ourdomain.name" user_group="ccc-ccc-cccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.7" in_display_interface="lag0.7" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="A0:66:10:05:D0:FB" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.yyy" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="64306" dst_port="443" packets_sent="40" packets_received="230" bytes_sent="3034" bytes_received="309336" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1167646720" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 13:21:15
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.2" in_display_interface="ccc-ccc" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="54:BF:64:35:9E:2C" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.yyy" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="49758" dst_port="443" packets_sent="23" packets_received="19" bytes_sent="10032" bytes_received="7287" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop"

    rule 98: Sophos Central

    *.cloudfront.net

    see below:*.sophos.com

    • *.sophosupd.com
    • *.sophosupd.net
    • *.sophosxl.net
    • ocsp.globalsign.com
    • ocsp2.globalsign.com
    • crl.globalsign.com
    • crl.globalsign.net
    • ocsp.digicert.com
    • crl3.digicert.com
    • crl4.digicert.com
    • tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.
    • tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
    • tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
    • tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
    • kinesis.us-west-2.amazonaws.com
    • prod.endpointintel.darkbytes.io
    • mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
    • mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
    • mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
    • mcs2-cloudstation-us-west-2.prod
  • 0 in reply to LHerzog

    Still not clear to me. 

    We have four IPs behind sophostest.com.

    Domain Name # sophostest.com
    Resolved Address 1# 65.9.73.24
    Resolved Address 2# 65.9.73.79
    Resolved Address 3# 65.9.73.56
    Resolved Address 4# 65.9.73.114

    You think, this IP is behind one of those DNS Records?