Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort Exclusion not working

Hi,

 

I am trying to run speedtests via speedtest_cli on one of my boxes to regularly check the actually available speed my ISP provides.

Now the download speed is limited by my Sophos UTM box (9.510-4) by snort going to 100%. If I turn off IPS I get 400 MBit down as expected, with IPS on I am limited to 120MBit.

So since I have absolutely no idea which rule the speedtest triggers (and no idea how to identify it) I wanted to go the easy way and added an exclusion rule for my box (both ways):

Unfortunately despite this my speed is still limited by snort which I can easily verify by turning off IPS again.

Any idea why this would not work? Or an idea how to debug the IPS to find why it won't work? Or how to debug to find the rule that triggers on speedtest so I can turn that off?

 

Many hanks,

regards,

Thomas



This thread was automatically locked due to age.
  • 1. I recommend putty for ssh using RSA key access.

    2. To get a list of the ten nearest speedtest servers:

    cd /home
    python speedtest.py --list|grep Germany|head

    From here in Oklahoma City, that gives me:

    12235) Schleswiger Stadtwerke GmbH (Schleswig, Germany) [7838.13 km]
     6219) EWE TEL GmbH (Oldenburg, Germany) [7850.76 km]
     4556) TNG Stadtnetz GmbH (Kiel, Germany) [7881.42 km]
     4617) ADDIX Internet Services GmbH (Kiel, Germany) [7881.42 km]
    14722) ServerRISE (Dusseldorf, Germany) [7886.90 km]
     5835) KomMITT Ratingen (Ratingen, Germany) [7886.91 km]
     5146) Consultix (Bremen, Germany) [7886.96 km]
     5747) PLUTEX GmbH (Bremen, Germany) [7886.96 km]
     5733) LWLcom GmbH (Bremen, Germany) [7886.96 km]
    16596) Bremen Briteline GmbH (Bremen, Germany) [7886.96 km]

    Now, go to https://www.speedtestserver.com/ and search for 12235.  That tells me I need a DNS Host for speedtest.schleswiger-stadtwerke.de to add to my Exception.  To run the speedtest against that server, I would do:

    cd /home
    python speedtest.py --server 12235

    3. Agreed, not a good idea to create an Exception for all traffic coming to your public IP - just disable Intrusion Prevention to accomplish that.

    4. Make an Exception for traffic going to your speedtest client and add the Host object for your client to the Source box in Transparent Mode Skiplist.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BRILLIANT !!!

    I never would have found that ( the skiplist) - actually had to look up where to find it... I have (wrongly it seems) handled all my exceptions with (tagged) Proxy exceptions or Filter actions ...

     

    Many many thanks for the help:)

     

    BR Thomas