Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 5 subscribers
  • Views 1070 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Masse an Benachrichtigungen tunen (speziell WARN-856)

MarcK

Hi,

kann man die Masse der Benachrichtigungen, speziell für Portscans [WARN-856] irgendwie tunen?

Es macht einfach keinen großen Sinn 100 und eMails in einer Minute dazu zu bekommen.

Grüße Marc



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Marc,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    Yeah, this had really gotten painful for one site at one of my clients.  It's mostly attacks from what I assume is Chinese military hackers looking for any way to infiltrate.  Just for fun (and at no charge), I made a Network Group "All Portscanners" containing the subnets of IPs that have scanned this site.  I made a port scanning Exception for the members of this group and created a firewall Reject rule for them so that the traffic would be blocked silently and that the bad guys would get a slap in the face.

    That group is up to 49 subnets.  In the first three days of October, 1004 offending packets were rejected.  Now, I add one Network a week to the Group as opposed to one or two a day as I did when I first started in mid-July.

    August was the biggest month for rejections with over 22K packets rejected and just short of 9K in September.

    I suspect the Reject rule resulted in many new portscanning attacks from other subnets controlled by the same bad guys, so you may just want to use a Drop rule instead.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hallo Marc,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    Yeah, this had really gotten painful for one site at one of my clients.  It's mostly attacks from what I assume is Chinese military hackers looking for any way to infiltrate.  Just for fun (and at no charge), I made a Network Group "All Portscanners" containing the subnets of IPs that have scanned this site.  I made a port scanning Exception for the members of this group and created a firewall Reject rule for them so that the traffic would be blocked silently and that the bad guys would get a slap in the face.

    That group is up to 49 subnets.  In the first three days of October, 1004 offending packets were rejected.  Now, I add one Network a week to the Group as opposed to one or two a day as I did when I first started in mid-July.

    August was the biggest month for rejections with over 22K packets rejected and just short of 9K in September.

    I suspect the Reject rule resulted in many new portscanning attacks from other subnets controlled by the same bad guys, so you may just want to use a Drop rule instead.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
Unfiltered HTML