Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 26 subscribers
  • Views 8459 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow websites turns out IPS drops

waghelak
Since moving from UTM noticed pages either loaded slowly or not at all. Just noticed drops in IPS logs. I tried to allow the signature but seems I need to allow or disable all within the group and not individual ones. Any ideas on when it will be fixed? Thanks


This thread was automatically locked due to age.
  • 0

    Kunal,

    can you share some IPS line log and what website (for example) are very slow or fail to load?

    Thanks

  • 0 in reply to lferrara
    I am out at present so will need to share the logs tom. Mainly BBC sports main link fails (intermittent) and any bbc site which has a video on it fails to load. Thanks
  • 0 in reply to waghelak

    see  below some of the logs which happens mainly when trying to video on bbc via the iPhone or going to main bbc sports site.

     

    2016-12-07 22:00:01
    Signatures
    Drop
    -
    205.185.208.154 :TCP(80)
    192.168.0.236 :TCP(56304)
    1140311081
    Microsoft Windows DirectShow JPEG Double Free
    Operating System and Services
    Windows
    Client
    8
    07002
    Open PCAP
    2016-12-07 20:53:45
    Signatures
    Detect
    -
    173.194.3.110 :TCP(443)
    172.16.0.202 :TCP(60821)
    2601617
    SSL Request Export Ciphersuite Detection
    Browsers
    BSD,Linux,Mac,Solaris,Unix,Windows
    Client,Server
    8
    07001
    Open PCAP
    2016-12-07 20:49:20
    Signatures
    Detect
    -
    173.194.20.230 :TCP(443)
    172.16.0.202 :TCP(60677)
    2601617
    SSL Request Export Ciphersuite Detection
    Browsers
    BSD,Linux,Mac,Solaris,Unix,Windows
    Client,Server
    8
    07001
    Open PCAP
    2016-12-07 19:20:38
    Signatures
    Detect
    -
    209.85.230.25 :TCP(443)
    172.16.0.202 :TCP(60297)
    2601627
    SSL Request Export Ciphersuite Detection
    Browsers
    Windows
    Client,Server
    8
    07001
    Open PCAP
    2016-12-07 16:37:33
    Signatures
    Drop
    -
    23.67.146.178 :TCP(80)
    192.168.0.236 :TCP(55216)
    7000176
    Microsoft Internet Explorer and Edge CVE-2016-0157 Memory Corruption Vulnerability
    Browsers
    Windows
    Client
    8
    07002
    Open PCAP
    2016-12-07 16:30:31
    Signatures
    Drop
    -
    23.67.146.178 :TCP(80)
    192.168.0.236 :TCP(55084)
    7000176
    Microsoft Internet Explorer and Edge CVE-2016-0157 Memory Corruption Vulnerability
    Browsers
    Windows
    Client
    8
    07002
    Open PCAP
    2016-12-07 16:30:17
    Signatures
    Drop
    -
    23.67.146.178 :TCP(80)
    192:TCP(55060)
    7000176
    Microsoft Internet Explorer and Edge CVE-2016-0157 Memory Corruption Vulnerability
    Browsers
    Windows
    Client
    8
    07002
    Open PCAP
    2016-12-07 16:28:38
    Signatures
    Drop
    -
    23.67.146.178 :TCP(80)
    192.168.0.236 :TCP(55025)
    7000176
    Microsoft Internet Explorer and Edge CVE-2016-0157 Memory Corruption Vulnerability
    Browsers
    Windows
    Client
    8
    07002
    Open PCAP

  • 0 in reply to waghelak
    Hi all Any ideas how to resolve this issue? I wouldn't want to turn off IPS or be forced to go back to UTM. Is there a way to allow just one signature from a group as currently I can't do that as it is impacting the whole group. Thanks
  • 0 in reply to waghelak

    Kuna,

    send me a PM and I will try to help you.

    Regards,

    Luk

  • +1 in reply to lferrara

    Kuna,

    as I explained XG uses snort as IPS which is a signature based so false-positive and false-negative can occur.

    We cannot edit LAN to WAN IPS policy, so creating a clone of it did the trick. Inside the new ips policy, you can add at the top signatures that can be bypassed.

    Regards,

  • 0 in reply to lferrara
    Thanks Luk once again. I appreciate all the help you gave this evening and showing me on how I could bypass the individual signatures without impacting the other signatures in the group.