Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 5 replies
  • Subscribers 0 subscribers
  • Views 2128 views
  • Users 0 members are here
Options
Suggested

[9.000][OPEN] Truncated downloads when Session exceeded configured max bytes to queue

eclipse79oldacct
Hello, 
Bob suggested me to report this behaviour in v9 beta forum. 

I noticed that some files (tipically large files) were not completely downloaded. 

In these cases IPS log file contains lines like this: 

FIREWALL snort[7480]: S5: Session exceeded configured max bytes to queue 1048576 using 1049776 bytes (client queue). MY_PUBLIC_IP 32771 --> 95.101.34.58 80 : LWstate 0x9 LWFlags 0x6007


After the support changed the buffer size of IPS, the issue disappeared. 

bye
eclipse79
  • 0
    That sounds interesting... Do you have the proxy enabled, and if yes, is it standard or transparent mode?

    Cheers,
    Kai
  • 0 in reply to kbr
    That sounds interesting... Do you have the proxy enabled, and if yes, is it standard or transparent mode?

    Cheers,
    Kai


    Yes Kai, I have the proxy enabled in standard mode. But the more interesting thing is that IPS broke also a download from an interface that isn't protected by IPS. Read this post for more details: http://www.astaro.org/astaro-gateway-products/network-security-firewall-nat-qos-ips/43465-ips-log-files-contains-data-related-non-protected-interfaces.html

    Tell me if you need other informations

    bye
    eclipse79

    EDIT: ips truncated the download from a non protected interface that does not have a web proxy at all. I have a "Wi-Fi emergency interface" that I use when I need to fastly get a page/file that my ASG blocks, so it does not have any protection.
  • 0
    So it seems it's not a proxy-related issue, that makes it a bit easier.

    Can you please post the output of `[FONT="Courier New"]cc get ips[/FONT]`, so i can get an idea of your configuration?

    Additionally, I'd like to have a few of the URLs where you downloaded the large files, so we can try to reproduce it here in the labs.

    Thanks,
    Kai
  • 0 in reply to kbr
    Can you please post the output of `[FONT="Courier New"]cc get ips[/FONT]`, so i can get an idea of your configuration?


    Sure! 

    ips = {

              "atcc" => {

                          "status" => 0

                        },

              "dns_servers" => [

                                 "REF_BDYYfMbGxJ"

                               ],

              "exceptions" => [

                                "REF_CBHOqsccJG",

                                "REF_lLMXlcPocS",

                                "REF_rEAHXoCoeo",

                                "REF_FHxSAKxTgX",

                                "REF_vGLrToNOZN"

                              ],

              "groups" => [

                            "REF_IpsOsSpecific",

                            "REF_IpsServerAttacks",

                            "REF_IpsClientAttacks",

                            "REF_IpsProtocolAnomaly",

                            "REF_IpsMalware",

                            "REF_IpsIm",

                            "REF_IpsP2P",

                            "REF_IpsMultimedia",

                            "REF_IpsUserDefined"

                          ],

              "http_servers" => [

                                  "REF_gYOJDuFJXx",

                                  "REF_BDYYfMbGxJ",

                                  "REF_IfBFrgPlln"

                                ],

              "local_networks" => [

                                    "REF_ZEbkNQmuuE",

                                    "REF_DefaultInternalNetwork",

                                    "REF_PbzEyVuMRm"

                                  ],

              "num_instances" => 0,

              "pattern_version" => "u2d-ips-7-247:1335435303",

              "policy" => "drop",

              "rule_modifiers" => [

                                    "REF_gqmZYeYGmw",

                                    "REF_rdIcMywoha",

                                    "REF_cqOOrqiQTY"

                                  ],

              "rules" => [],

              "smtp_servers" => [

                                  "REF_gYOJDuFJXx",

                                  "REF_BDYYfMbGxJ",

                                  "REF_IfBFrgPlln"

                                ],

              "sql_servers" => [

                                 "REF_IfBFrgPlln"

                               ],

              "status" => 1

            }



    Additionally, I'd like to have a few of the URLs where you downloaded the large files, so we can try to reproduce it here in the labs.


    Well, when I observed this behaviour it happened in Microsoft Volume License Service Center so I cannot give you the exact urls of files (it requires a login). I tried 5-6 times to download "Exchange 2010 with sp1". Anyway I am sure that it is only a matter of statistics: it happens with large files (4-5gb) only because is more probable. It happens (less frequently!!) also with small files. For example, I was downloading Firefox installer when the download from Wi-Fi Emergency failed.
  • 0 in reply to eclipse79oldacct
    Kai, if you want I can give you the complete backup of my ASG.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?