Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 28 subscribers
  • Views 1800 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sophostest.com - unable to test due to Sophos Scan exclusion recommendations

LHerzog

Hey, I cannot test our XG with the test site, you are providing: https://sophostest.com/

I've asked this once but forgot. Today I wanted to verify something but could'nt even find the request in the web filter log.

Of course, I could browse all the bad test sites.

This is because your test site is running on the same could servers, probably cloudfront.net, as you use for Sophos / Central services. And for those cloud servers (FQDN) there are http/https exceptions and the requests are not even scanned by webfilter.

Bad design for a (malware) test-site.

Can you please put the site on some stand-alone server so we can use it for testing the filters?

during my tests the site had the IP

13.225.87.17


This thread was automatically locked due to age.
Parents
  • 0 in reply to LuCar Toni

    Why? there are http and https rules towards to the Sophos / Central servers.

    https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DomainsPorts.html

    Ports

    You must add the following ports.

    • 80 (HTTP)
    • 443 (HTTPS)

    and really, this sucks: *.cloudfront.net, amazonaws.com

  • 0 in reply to LuCar Toni

    sophostest.com is not in the exclusion list.

    But in some FQDN of the recommended exclusion is also including the IPv4 of sophostest.com

  • 0 in reply to LuCar Toni
    LuCar Toni said:
    Where do you use sophostest.com as a recommend exclusion?

    nowhere. Browsing to this side goes into the firewall rule belonging to the Sophos Central Exceptions.

    btw: seems to run on some AWS site:

  • 0 in reply to LHerzog

    sophostest.com is external hosted to do not have any relation to Sophos. If you know a recommended read or anything, which recommend to exlcude this, then feel free to report this to get this removed. 

    Then again: Why do you have a firewall rule including sophostest.com? 

  • 0 in reply to LuCar Toni

    I'm not including this site.  catched my point.

    This rule matches only because the same IPv4 is used by sophostest.com and some other sophos stuff.

    one example:

    "

    during my tests the site had the IP

    13.225.87.17"

  • 0 in reply to LHerzog

    Do you have a output of the logviewer using this 13. IP? Because sophostest.com should not use a sophos known address. 

  • 0 in reply to LuCar Toni

    Firewall
        
    2021-08-06 14:33:50
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="181" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50446" dst_port="443" packets_sent="75" packets_received="192" bytes_sent="5013" bytes_received="247475" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="782242816" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 14:30:59
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50443" dst_port="443" packets_sent="64" packets_received="184" bytes_sent="4247" bytes_received="246441" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1143560768" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 14:30:58
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50440" dst_port="443" packets_sent="18" packets_received="18" bytes_sent="2283" bytes_received="7763" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1165648512" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 14:30:58
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50437" dst_port="443" packets_sent="7" packets_received="7" bytes_sent="809" bytes_received="5819" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="3963242688" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 14:30:53
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="10" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50432" dst_port="443" packets_sent="4" packets_received="2" bytes_sent="172" bytes_received="92" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="2024355136" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 14:10:42
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="17" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="othername@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="ccc.ccccc" in_display_interface="yyy-yyy" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="A0:66:10:09:A0:08" dst_mac="00:98:7A:5A:5D:86" src_ip="xxx.xxx.xxx.yyy" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="51019" dst_port="443" packets_sent="20" packets_received="65" bytes_sent="3117" bytes_received="70470" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1150146496" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 13:48:43
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="252" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="othername@ourdomain.name" user_group="ccc-ccc-cccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.7" in_display_interface="lag0.7" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="A0:66:10:05:D0:FB" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.yyy" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="64306" dst_port="443" packets_sent="40" packets_received="230" bytes_sent="3034" bytes_received="309336" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1167646720" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
    Firewall
        
    2021-08-06 13:21:15
        
    messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.2" in_display_interface="ccc-ccc" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="54:BF:64:35:9E:2C" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.yyy" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="49758" dst_port="443" packets_sent="23" packets_received="19" bytes_sent="10032" bytes_received="7287" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop"

    rule 98: Sophos Central

    *.cloudfront.net

    see below:*.sophos.com

    • *.sophosupd.com
    • *.sophosupd.net
    • *.sophosxl.net
    • ocsp.globalsign.com
    • ocsp2.globalsign.com
    • crl.globalsign.com
    • crl.globalsign.net
    • ocsp.digicert.com
    • crl3.digicert.com
    • crl4.digicert.com
    • tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.
    • tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
    • tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
    • tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
    • kinesis.us-west-2.amazonaws.com
    • prod.endpointintel.darkbytes.io
    • mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
    • mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
    • mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
    • mcs2-cloudstation-us-west-2.prod
  • 0 in reply to LHerzog

    Still not clear to me. 

    We have four IPs behind sophostest.com.

    Domain Name # sophostest.com
    Resolved Address 1# 65.9.73.24
    Resolved Address 2# 65.9.73.79
    Resolved Address 3# 65.9.73.56
    Resolved Address 4# 65.9.73.114

    You think, this IP is behind one of those DNS Records? 

  • 0 in reply to LuCar Toni

    may I send you an XML of that rule and you test it again?

  • 0 in reply to LHerzog

    You can share it here. I am not seeing any relationship of the sophostest.com to those hosts, you mentioned here or are reflected in the KB. 

  • 0 in reply to LuCar Toni

    that's a lot of work to get the xml version I see now, need all Objects and also NAT rule. will not get it done today.

    But why don#t you see the relation?

Reply Children
  • 0 in reply to LHerzog

    Yes. And what is the relationship to sophostest.com which is not related to *.sophos.com. There is a wildcard and a dot, separating everything infront of .sophos.com. sophostest.com is a own domain with other IP addresses. You showing a 13. IP, how does this IP correlate to those IPs related to sophostest.com?