Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 53 replies
  • Subscribers 0 subscribers
  • Views 26062 views
  • Users 0 members are here
Options
Suggested

[9.185][BUG] Many Suspicious TCP state log entry's

mod2402
I've configured for android phones a Proxy Profile with transparent scanning and no HTTPS Scan. My firewall log shows many Suspicious TCP state entry's. See following extract:
Same result if I use Lync client on my notebook with same scan Settings.
  

17:44:40 Suspicious TCP state TCP 

192.168.24.69 : 40437

→ 

173.194.70.188 : 5228

 

[ACK PSH] len=145 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:50 Suspicious TCP state TCP 

192.168.24.69 : 37988

→ 

173.252.79.23 : 443

 

[ACK PSH] len=245 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:52 Suspicious TCP state TCP 

192.168.24.69 : 43438

→ 

173.194.112.67 : 443

 

[ACK] len=52 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:52 Suspicious TCP state TCP 

192.168.24.69 : 42822

→ 

173.194.112.67 : 443

 

[ACK] len=52 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:52 Suspicious TCP state TCP 

192.168.24.69 : 43438

→ 

173.194.112.67 : 443

 

[ACK] len=64 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:52 Suspicious TCP state TCP 

192.168.24.69 : 42822

→ 

173.194.112.67 : 443

 

[ACK] len=64 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:52 Suspicious TCP state TCP 

192.168.24.69 : 43438

→ 

173.194.112.67 : 443

 

[ACK] len=64 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:53 Suspicious TCP state TCP 

192.168.24.69 : 40321

→ 

173.252.79.23 : 443

 

[ACK PSH] len=245 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:54 Suspicious TCP state TCP 

192.168.24.69 : 37988

→ 

173.252.79.23 : 443

 

[RST] len=40 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

17:44:54 Suspicious TCP state TCP 

192.168.24.69 : 37988

→ 

173.252.79.23 : 443

 

[RST] len=40 ttl=63 tos=0x00 srcmac=1c:7b:21:9d:7c:53 dstmac=0:15:5d:18:3:1b

 
The lync client disconnects the connection often if I use non https scanning. With "URL Filtering only", the client seems to work without disconnections. 
 
regards
mod
Parents
  • 0
    UTM 9.200 Soft-Released Fresh install
    This rpm seem to work no more vpn disconnects  But log is filling up with the ones listed below and making it grow.
    dont know if this happen before or after patch but did a scan with nmap and it reported 3 open port see this post
    https://community.sophos.com/products/unified-threat-management/astaroorg/f/81/t/65649

    2014:02:27-14:57:52 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" srcip="174.xx.xx.xx.xx" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="50029" dstport="80" tcpflags="ACK PSH FIN" 

    2014:02:27-14:57:54 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" srcip="174.xx.xx.xx.xx" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="50029" dstport="80" tcpflags="ACK PSH FIN"
     
    2014:02:27-14:57:56 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" srcip="174.xx.xx.xx.xx" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="50029" dstport="80" tcpflags="ACK PSH FIN" 

    2014:02:27-14:57:59 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" srcip="174.xx.xx.xx.xx" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="50029" dstport="80" tcpflags="ACK PSH FIN" 

    2014:02:27-14:58:07 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" srcip="174.xx.xx.xx.xx" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="50029" dstport="80" tcpflags="ACK PSH FIN" 

    2014:02:27-15:00:55 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth1.115" mark="0x40000" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.xx.xx.xx.xx" dstip="23.193.202.247" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="62713" dstport="443" tcpflags="ACK FIN" 

    2014:02:27-15:00:55 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth1.115" mark="0x40000" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.xx.xx.xx.xx" dstip="54.219.160.92" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="62703" dstport="443" tcpflags="ACK FIN" 

    2014:02:27-15:00:58 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth1.115" mark="0x40000" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.xx.xx.xx.xx" dstip="54.219.160.92" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="62703" dstport="443" tcpflags="ACK FIN" 

    2014:02:27-15:00:58 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth1.115" mark="0x40000" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.xx.xx.xx.xx" dstip="50.18.217.218" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="62702" dstport="443" tcpflags="ACK FIN" 

    2014:02:27-15:00:59 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth1.115" mark="0x40000" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.xx.xx.xx.xx" dstip="23.193.202.247" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="62713" dstport="443" tcpflags="ACK FIN"
Reply
  • 0
    UTM 9.200 Soft-Released Fresh install
    This rpm seem to work no more vpn disconnects  But log is filling up with the ones listed below and making it grow.
    dont know if this happen before or after patch but did a scan with nmap and it reported 3 open port see this post
    https://community.sophos.com/products/unified-threat-management/astaroorg/f/81/t/65649

    2014:02:27-14:57:52 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" srcip="174.xx.xx.xx.xx" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="50029" dstport="80" tcpflags="ACK PSH FIN" 

    2014:02:27-14:57:54 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" srcip="174.xx.xx.xx.xx" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="50029" dstport="80" tcpflags="ACK PSH FIN"
     
    2014:02:27-14:57:56 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" srcip="174.xx.xx.xx.xx" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="50029" dstport="80" tcpflags="ACK PSH FIN" 

    2014:02:27-14:57:59 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" srcip="174.xx.xx.xx.xx" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="50029" dstport="80" tcpflags="ACK PSH FIN" 

    2014:02:27-14:58:07 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth1" srcmac="x:xx:xx:xx:xx:xx" srcip="174.xx.xx.xx.xx" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="50029" dstport="80" tcpflags="ACK PSH FIN" 

    2014:02:27-15:00:55 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth1.115" mark="0x40000" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.xx.xx.xx.xx" dstip="23.193.202.247" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="62713" dstport="443" tcpflags="ACK FIN" 

    2014:02:27-15:00:55 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth1.115" mark="0x40000" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.xx.xx.xx.xx" dstip="54.219.160.92" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="62703" dstport="443" tcpflags="ACK FIN" 

    2014:02:27-15:00:58 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth1.115" mark="0x40000" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.xx.xx.xx.xx" dstip="54.219.160.92" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="62703" dstport="443" tcpflags="ACK FIN" 

    2014:02:27-15:00:58 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth1.115" mark="0x40000" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.xx.xx.xx.xx" dstip="50.18.217.218" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="62702" dstport="443" tcpflags="ACK FIN" 

    2014:02:27-15:00:59 AYALl ulogd[2840]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth1.115" mark="0x40000" srcmac="x:xx:xx:xx:xx:xx" dstmac="x:xx:xx:xx:xx:xx" srcip="172.xx.xx.xx.xx" dstip="23.193.202.247" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="62713" dstport="443" tcpflags="ACK FIN"
Children
  • 0 in reply to Knome
    Hi Knome, 
    Could you please give us more details, about the features enabled.
    1. http and https features.
    2. User defined firewall rules
    3. Masquerading and NAT rules
    4. SSL VPN rules features.
    Without understanding your setup, I will be unable to reproduce the scenario. 
    More specifically, send us the iptables entries.

    Best Regards,
    Yash
Unfiltered HTML