Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 6320 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

(SFOS 16.01.2) IPS drops legimate traffic to https sites like Google

Director KUCC

After updating to SFOS 16.01.2 , getting a lot of OpenSSL DTLS SRTP Extension Parsing Denial of Service and OpenSSL Invalid Session Ticket Denial of Service detection , if dropped , https sites like google will not appear

 

 

2016-11-30 15:48:11
Signatures
Detect
bchrs03
14.139.185.66 :TCP(41233)
10.11.32.6 :TCP(62730)
1141015150
OpenSSL DTLS SRTP Extension Parsing Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:08
Signatures
Detect
stamp103
14.139.185.66 :TCP(41018)
10.11.40.100 :TCP(61820)
1141015150
OpenSSL DTLS SRTP Extension Parsing Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:08
Signatures
Detect
chemp107
14.139.185.66 :TCP(53907)
10.11.207.66 :TCP(50179)
1141015150
OpenSSL DTLS SRTP Extension Parsing Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:08
Signatures
Detect
stamp103
14.139.185.66 :TCP(36421)
10.11.40.100 :TCP(61924)
1141015150
OpenSSL DTLS SRTP Extension Parsing Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:08
Signatures
Detect
stamp103
14.139.185.66 :TCP(41045)
10.11.40.100 :TCP(61920)
1141015150
OpenSSL DTLS SRTP Extension Parsing Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:07
Signatures
Detect
stamp103
14.139.185.66 :TCP(41016)
10.11.40.100 :TCP(61818)
1141015150
OpenSSL DTLS SRTP Extension Parsing Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
demps007
14.139.185.66 :TCP(40882)
10.11.202.33 :TCP(51149)
1141015150
OpenSSL DTLS SRTP Extension Parsing Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
btyra020
14.139.185.66 :TCP(40898)
10.11.8.63 :TCP(49210)
1141015150
OpenSSL DTLS SRTP Extension Parsing Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
geoms204
14.139.185.66 :TCP(51717)
10.11.200.3 :TCP(2769)
1141015170
OpenSSL Invalid Session Ticket Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
gispd004
14.139.185.66 :TCP(34390)
10.11.184.31 :TCP(3275)
1141015170
OpenSSL Invalid Session Ticket Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
stamp103
14.139.185.66 :TCP(46070)
10.11.40.100 :TCP(61737)
1141015170
OpenSSL Invalid Session Ticket Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
zoofac02
14.139.185.66 :TCP(60798)
10.11.169.78 :TCP(55009)
1141015170
OpenSSL Invalid Session Ticket Denial of Service
Misc
All
All
20
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
stamp103
14.139.185.66 :TCP(46023)
10.11.40.100 :TCP(61735)
1141015170
OpenSSL Invalid Session Ticket Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
stamp103
14.139.185.66 :TCP(46074)
10.11.40.100 :TCP(61739)
1141015170
OpenSSL Invalid Session Ticket Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
bchrs25
14.139.185.66 :TCP(50852)
10.11.32.74 :TCP(52526)
1141015150
OpenSSL DTLS SRTP Extension Parsing Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
bchrs25
14.139.185.66 :TCP(50852)
10.11.32.74 :TCP(52526)
1141015170
OpenSSL Invalid Session Ticket Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
stamp103
14.139.185.66 :TCP(46031)
10.11.40.100 :TCP(61731)
1141015170
OpenSSL Invalid Session Ticket Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
geoms204
14.139.185.66 :TCP(57315)
10.11.200.3 :TCP(2772)
1141015170
OpenSSL Invalid Session Ticket Denial of Service
Misc
All
All
22
07001
Open PCAP
2016-11-30 15:48:06
Signatures
Detect
ecors06
14.139.185.66 :TCP(40863)
10.11.203.21 :TCP(60797)
1141015150
OpenSSL DTLS SRTP Extension Parsing Denial of Service
Misc
All
All
22
07001
Open PCAP


This thread was automatically locked due to age.
Parents
  • 0

    I'm noticing this as well, IPS sig version 3.13.17, sfos 16.01.2. My users haven't noticed any blocked sites, but I see hundreds of these logged daily in my firewall dashboard. I don't think it has to do with sfos 16.01.2 since I just updated to that yesterday and it was logging this prior to then. I'm guessing the IPS signature starting detecting this, but I'm not sure when it started.

    Did you ever start a ticket with support? I may open one as well, but since I haven't had any user complaints, I haven't made it a priority.

Reply
  • 0

    I'm noticing this as well, IPS sig version 3.13.17, sfos 16.01.2. My users haven't noticed any blocked sites, but I see hundreds of these logged daily in my firewall dashboard. I don't think it has to do with sfos 16.01.2 since I just updated to that yesterday and it was logging this prior to then. I'm guessing the IPS signature starting detecting this, but I'm not sure when it started.

    Did you ever start a ticket with support? I may open one as well, but since I haven't had any user complaints, I haven't made it a priority.

Children