Snort Exclusion not working

Question

Hi, 
 
 I am trying to run speedtests via speedtest_cli on one of my boxes to regularly check the actually available speed my ISP provides. 
 Now the download speed is limited by my Sophos UTM box (9.510-4) by snort going to 100%. If I turn off IPS I get 400 MBit down as expected, with IPS on I am limited to 120MBit. 
 So since I have absolutely no idea which rule the speedtest triggers (and no idea how to identify it) I wanted to go the easy way and added an exclusion rule for my box (both ways): 
 
 Unfortunately despite this my speed is still limited by snort which I can easily verify by turning off IPS again. 
 Any idea why this would not work? Or an idea how to debug the IPS to find why it won't work? Or how to debug to find the rule that triggers on speedtest so I can turn that off? 
 
 Many hanks, 
 regards, 
 Thomas

BAlfson · Accepted Answer

1. I recommend putty for ssh using RSA key access. 
 2. To get a list of the ten nearest speedtest servers: 
 cd /home python speedtest.py --list|grep Germany|head 
 From here in Oklahoma City, that gives me: 
 12235 ) Schleswiger Stadtwerke GmbH (Schleswig, Germany) [7838.13 km] 6219) EWE TEL GmbH (Oldenburg, Germany) [7850.76 km] 4556) TNG Stadtnetz GmbH (Kiel, Germany) [7881.42 km] 4617) ADDIX Internet Services GmbH (Kiel, Germany) [7881.42 km] 14722) ServerRISE (Dusseldorf, Germany) [7886.90 km] 5835) KomMITT Ratingen (Ratingen, Germany) [7886.91 km] 5146) Consultix (Bremen, Germany) [7886.96 km] 5747) PLUTEX GmbH (Bremen, Germany) [7886.96 km] 5733) LWLcom GmbH (Bremen, Germany) [7886.96 km] 16596) Bremen Briteline GmbH (Bremen, Germany) [7886.96 km] 
 Now, go to https://www.speedtestserver.com/ and search for 12235 . That tells me I need a DNS Host for speedtest.schleswiger-stadtwerke.de to add to my Exception. To run the speedtest against that server, I would do: 
 cd /home python speedtest.py --server 12235 
 3. Agreed, not a good idea to create an Exception for all traffic coming to your public IP - just disable Intrusion Prevention to accomplish that. 
 4. Make an Exception for traffic going to your speedtest client and add the Host object for your client to the Source box in Transparent Mode Skiplist. 
 Cheers - Bob

LuCar Toni · Answer

Your Exception is incorrect. 
 Check out the Online Help: 
 Note &ndash; If you want to make an intrusion prevention exception for packets with the destination address of the gateway, selecting Any in the Destinations box will not succeed. You must instead select a definition that contains the gateway's IP address, for example the Internal (Address) or the external WAN address. 
 Note &ndash; If you use a Sophos UTM proxy, an intrusion prevention exception has to reflect this: A proxy replaces the original source address of a packet with its own address. Thus, to except intrusion prevention for proxied packets, you need to add the appropriate interface address definition of Sophos UTM to the source Networks box. 
 
 Basically you are using ANY because it is Server to Any or Any to Server.