Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 3961 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Just started Blocking Credit Card Numbers

Kipland Iles

Model: SG230
Firmware:  9.601-5
Current pattern version: 162349

Starting at about 1:30PM EDT, today, Our Sophos UTM 9 started blocking "SENSITIVE-DATA Credit Card Numbers" via IPS. This device has been running for over three years with IPS setup and we never had an issue with this. This is our PCI environment and we do collect credit card numbers via SSL on the edge via HAProxy (offloading SSL) and then fire back to an internal HAProxy over port 80 (not encrypted) which then forwards to a Universal Payment Provider application which fires back out through a Squid Proxy to a payment provider (all SSL again).

While it would be more secure to re-encrypt the requests to the internal backends, there really has not been a need since this is a totally isolated environment with no user access (except for me of course). Not wanting to get into a security best practices discussion at this time but be aware that this environment has passed 3 PCI DSS Level 1 audits without issue since all internal servers are sufficiently hardened and monitored. Testing does include Internal Penetration Testing.

My question here is if anyone else has seen this happen today (May 29th, 2019). I essentially had to disable IPS on the Sophos to start accepting payments again but don't like that other intrusion prevention is disabled as well.

I had IPS enabled with the two existing internal networks (CDZ and DMZ) and only added exceptions for my Penetration Testers.

Here is a typical log message (redacted)

2019:05:29-13:54:54 tds-pci-mas snort[9430]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SENSITIVE-DATA Credit Card Numbers" group="500" srcip="172.X.X.52" dstip="172.X.X.203" proto="6" srcport="57220" dstport="80" sid="2" class="Sensitive Data was Transmitted Across the Network" priority="2" generator="138" msgid="0.

I suppose I could create an exception to not inspect anything from DMZ to CDZ and vise-versa but not really understanding why this happened today out of the blue. Any help would be appreciated as I really don't want to keep IPS turned off.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Chris Dickens

    Thanks Chris,

    I have yet to remove the workaround for rule #2 but will likely do so based on your response. I lost several hundred CC payment transactions, yesterday, and was bombarded by service desk tickets until I finally noticed the emails from my appliance stating the obvious. I was actually looking at the firewall live logs and just happened to notice a strange record pass by related to a suspicious packet being blocked so that led me back to the IPS which I disabled promptly. Happy that we had a workaround which I implemented about 3:00am this morning and happy we have a pattern fix but leaving my rule #2 disabled just in case it sneaks back in later. 

    I too appreciate the quick response (as always) I get from the Community. Thanks to everyone that participated.

Unfiltered HTML