Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 26 subscribers
  • Views 8461 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow websites turns out IPS drops

waghelak
Since moving from UTM noticed pages either loaded slowly or not at all. Just noticed drops in IPS logs. I tried to allow the signature but seems I need to allow or disable all within the group and not individual ones. Any ideas on when it will be fixed? Thanks


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to waghelak

    see  below some of the logs which happens mainly when trying to video on bbc via the iPhone or going to main bbc sports site.

     

    2016-12-07 22:00:01
    Signatures
    Drop
    -
    205.185.208.154 :TCP(80)
    192.168.0.236 :TCP(56304)
    1140311081
    Microsoft Windows DirectShow JPEG Double Free
    Operating System and Services
    Windows
    Client
    8
    07002
    Open PCAP
    2016-12-07 20:53:45
    Signatures
    Detect
    -
    173.194.3.110 :TCP(443)
    172.16.0.202 :TCP(60821)
    2601617
    SSL Request Export Ciphersuite Detection
    Browsers
    BSD,Linux,Mac,Solaris,Unix,Windows
    Client,Server
    8
    07001
    Open PCAP
    2016-12-07 20:49:20
    Signatures
    Detect
    -
    173.194.20.230 :TCP(443)
    172.16.0.202 :TCP(60677)
    2601617
    SSL Request Export Ciphersuite Detection
    Browsers
    BSD,Linux,Mac,Solaris,Unix,Windows
    Client,Server
    8
    07001
    Open PCAP
    2016-12-07 19:20:38
    Signatures
    Detect
    -
    209.85.230.25 :TCP(443)
    172.16.0.202 :TCP(60297)
    2601627
    SSL Request Export Ciphersuite Detection
    Browsers
    Windows
    Client,Server
    8
    07001
    Open PCAP
    2016-12-07 16:37:33
    Signatures
    Drop
    -
    23.67.146.178 :TCP(80)
    192.168.0.236 :TCP(55216)
    7000176
    Microsoft Internet Explorer and Edge CVE-2016-0157 Memory Corruption Vulnerability
    Browsers
    Windows
    Client
    8
    07002
    Open PCAP
    2016-12-07 16:30:31
    Signatures
    Drop
    -
    23.67.146.178 :TCP(80)
    192.168.0.236 :TCP(55084)
    7000176
    Microsoft Internet Explorer and Edge CVE-2016-0157 Memory Corruption Vulnerability
    Browsers
    Windows
    Client
    8
    07002
    Open PCAP
    2016-12-07 16:30:17
    Signatures
    Drop
    -
    23.67.146.178 :TCP(80)
    192:TCP(55060)
    7000176
    Microsoft Internet Explorer and Edge CVE-2016-0157 Memory Corruption Vulnerability
    Browsers
    Windows
    Client
    8
    07002
    Open PCAP
    2016-12-07 16:28:38
    Signatures
    Drop
    -
    23.67.146.178 :TCP(80)
    192.168.0.236 :TCP(55025)
    7000176
    Microsoft Internet Explorer and Edge CVE-2016-0157 Memory Corruption Vulnerability
    Browsers
    Windows
    Client
    8
    07002
    Open PCAP

  • 0 in reply to waghelak
    Hi all Any ideas how to resolve this issue? I wouldn't want to turn off IPS or be forced to go back to UTM. Is there a way to allow just one signature from a group as currently I can't do that as it is impacting the whole group. Thanks
  • 0 in reply to waghelak

    Kuna,

    send me a PM and I will try to help you.

    Regards,

    Luk

  • +1 in reply to lferrara

    Kuna,

    as I explained XG uses snort as IPS which is a signature based so false-positive and false-negative can occur.

    We cannot edit LAN to WAN IPS policy, so creating a clone of it did the trick. Inside the new ips policy, you can add at the top signatures that can be bypassed.

    Regards,

  • 0 in reply to lferrara
    Thanks Luk once again. I appreciate all the help you gave this evening and showing me on how I could bypass the individual signatures without impacting the other signatures in the group.