Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 3950 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Just started Blocking Credit Card Numbers

Kipland Iles

Model: SG230
Firmware:  9.601-5
Current pattern version: 162349

Starting at about 1:30PM EDT, today, Our Sophos UTM 9 started blocking "SENSITIVE-DATA Credit Card Numbers" via IPS. This device has been running for over three years with IPS setup and we never had an issue with this. This is our PCI environment and we do collect credit card numbers via SSL on the edge via HAProxy (offloading SSL) and then fire back to an internal HAProxy over port 80 (not encrypted) which then forwards to a Universal Payment Provider application which fires back out through a Squid Proxy to a payment provider (all SSL again).

While it would be more secure to re-encrypt the requests to the internal backends, there really has not been a need since this is a totally isolated environment with no user access (except for me of course). Not wanting to get into a security best practices discussion at this time but be aware that this environment has passed 3 PCI DSS Level 1 audits without issue since all internal servers are sufficiently hardened and monitored. Testing does include Internal Penetration Testing.

My question here is if anyone else has seen this happen today (May 29th, 2019). I essentially had to disable IPS on the Sophos to start accepting payments again but don't like that other intrusion prevention is disabled as well.

I had IPS enabled with the two existing internal networks (CDZ and DMZ) and only added exceptions for my Penetration Testers.

Here is a typical log message (redacted)

2019:05:29-13:54:54 tds-pci-mas snort[9430]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SENSITIVE-DATA Credit Card Numbers" group="500" srcip="172.X.X.52" dstip="172.X.X.203" proto="6" srcport="57220" dstport="80" sid="2" class="Sensitive Data was Transmitted Across the Network" priority="2" generator="138" msgid="0.

I suppose I could create an exception to not inspect anything from DMZ to CDZ and vise-versa but not really understanding why this happened today out of the blue. Any help would be appreciated as I really don't want to keep IPS turned off.



This thread was automatically locked due to age.
Parents
  • 0

    This looks like when it happened ...

    2019:05:29-13:33:13 tds-pci-mas auisys[9242]: Starting installing up2date packages for type 'ipsbundle2'
2019:05:29-13:33:13 tds-pci-mas auisys[9242]: Installing up2date package: /var/up2date/ipsbundle2/u2d-ipsbundle2-9.200.tgz.gpg
2019:05:29-13:33:13 tds-pci-mas auisys[9242]: Verifying up2date package signature
2019:05:29-13:33:14 tds-pci-mas auisys[9242]: Unpacking installation instructions
2019:05:29-13:33:14 tds-pci-mas auisys[9242]: parsing installation instructions
2019:05:29-13:33:14 tds-pci-mas auisys[9242]: Unpacking up2date package container
2019:05:29-13:33:14 tds-pci-mas auisys[9242]: Running pre-installation checks
2019:05:29-13:33:14 tds-pci-mas auisys[9242]: Starting up2date package installation
2019:05:29-13:33:26 tds-pci-mas auisys[9242]: id="371Z" severity="info" sys="system" sub="up2date" name="Successfully installed Up2Date package" status="success" action="install" package_version="9.200" package="ipsbundle2"
2019:05:29-13:33:26 tds-pci-mas auisys[9242]: [INFO-306] New Pattern Up2Dates installed
2019:05:29-13:33:27 tds-pci-mas auisys[9242]: Up2Date Package Installer finished, exiting
2019:05:29-13:33:27 tds-pci-mas auisys[9242]: id="3716" severity="info" sys="system" sub="up2date" name="Up2Date Package Installer finished, exiting"
  • +2 in reply to Kipland Iles

     Posted a KBA about this issue.

    https://community.sophos.com/kb/en-us/134163

    __________________________________________________________________________________________________________________

Reply Children
  • 0 in reply to LuCar Toni

    This is a very bizarre pattern issue as our Apple TVs in the office are triggering this issue... I can't think of any sort of traffic they'd be sending that could called credit card numbers. 

  • 0 in reply to LuCar Toni

    Thanks for posting. As usual the community provided better support on this issue than Sophos Support (not on premium support, though). I disabled Rule 2 as suggested in the KB article and also verified that the patterns had been rolled back ...

    Current status

    Dev had rolled back IPSBundle to the previous pattern (IPSBundle 9.199). Once the UTM picks up the new pattern (within 15 mins) it should not encounter this issue anymore. The "fixed" pattern version is 9-201.

    Verified

    tds-pci-mas:/root # rpm -qa | grep ipsbundle2
u2d-ipsbundle2-9-201
Unfiltered HTML