Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 10733 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attacks Detected And Allowed - Why would they be allowed in the first place

NashBrydges

So I finally got all of my firewall rules and IPS policies setup and when I looked at the Control Center this morning, I noticed a few Network Attacks registered. There were 2 attacks that Sophos XG shows "Attacks detected and allowed". If they are attacks, why are they allowed?

Looking at the IPS policy that's attached to this firewall rule, the default action is "allow". It was for "Microsoft CVE-2016-3382" and "SSL Request Export Cyphersuite Detection" and are listed as critical and moderate, respectively. Why would the default action be to allow this? Should I simply change the IPS policy from using recommended action to drop all?



This thread was automatically locked due to age.
Parents
  • 0

    Nash,

    pay attention with the Action performed on IPS rule. There can be cases where an attack is a false positive, so on XG you need to allow the packet.

    I am also having SSL Request Export Cyphersuite Detection....

    Regards

  • 0 in reply to lferrara

    Thanks Luk. I'm definitely not an expert in determining whether an attack is a true positive or a false positive so I assume it is safe to keep the "recommended" action for each type of attack? I'm not sure how I would even to begin to understand true vs false positive.

  • +1 in reply to NashBrydges

    Patterns are updated regularly so false-positive are removed. Unless you do not have an issue on surfing on a website, traffic blocked, etc... and the cause is the IPS, leave the action as recommended.

    To be more efficient on IPS usage, more knowledges and time are required.

    Regards

Reply
  • +1 in reply to NashBrydges

    Patterns are updated regularly so false-positive are removed. Unless you do not have an issue on surfing on a website, traffic blocked, etc... and the cause is the IPS, leave the action as recommended.

    To be more efficient on IPS usage, more knowledges and time are required.

    Regards

Children
No Data