Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 3949 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Just started Blocking Credit Card Numbers

Kipland Iles

Model: SG230
Firmware:  9.601-5
Current pattern version: 162349

Starting at about 1:30PM EDT, today, Our Sophos UTM 9 started blocking "SENSITIVE-DATA Credit Card Numbers" via IPS. This device has been running for over three years with IPS setup and we never had an issue with this. This is our PCI environment and we do collect credit card numbers via SSL on the edge via HAProxy (offloading SSL) and then fire back to an internal HAProxy over port 80 (not encrypted) which then forwards to a Universal Payment Provider application which fires back out through a Squid Proxy to a payment provider (all SSL again).

While it would be more secure to re-encrypt the requests to the internal backends, there really has not been a need since this is a totally isolated environment with no user access (except for me of course). Not wanting to get into a security best practices discussion at this time but be aware that this environment has passed 3 PCI DSS Level 1 audits without issue since all internal servers are sufficiently hardened and monitored. Testing does include Internal Penetration Testing.

My question here is if anyone else has seen this happen today (May 29th, 2019). I essentially had to disable IPS on the Sophos to start accepting payments again but don't like that other intrusion prevention is disabled as well.

I had IPS enabled with the two existing internal networks (CDZ and DMZ) and only added exceptions for my Penetration Testers.

Here is a typical log message (redacted)

2019:05:29-13:54:54 tds-pci-mas snort[9430]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SENSITIVE-DATA Credit Card Numbers" group="500" srcip="172.X.X.52" dstip="172.X.X.203" proto="6" srcport="57220" dstport="80" sid="2" class="Sensitive Data was Transmitted Across the Network" priority="2" generator="138" msgid="0.

I suppose I could create an exception to not inspect anything from DMZ to CDZ and vise-versa but not really understanding why this happened today out of the blue. Any help would be appreciated as I really don't want to keep IPS turned off.



This thread was automatically locked due to age.
  • 0 in reply to LuCar Toni

    Thanks for posting. As usual the community provided better support on this issue than Sophos Support (not on premium support, though). I disabled Rule 2 as suggested in the KB article and also verified that the patterns had been rolled back ...

    Current status

    Dev had rolled back IPSBundle to the previous pattern (IPSBundle 9.199). Once the UTM picks up the new pattern (within 15 mins) it should not encounter this issue anymore. The "fixed" pattern version is 9-201.

    Verified

    tds-pci-mas:/root # rpm -qa | grep ipsbundle2
u2d-ipsbundle2-9-201
  • 0 in reply to Chris Dickens

    I disabled my workaround earlier (at the time of my last post) and haven't had any unexpected blockages since, so it appears the 9.201 package has done the trick.  Thanks everybody!

  • 0 in reply to Chris Dickens

    Thanks Chris,

    I have yet to remove the workaround for rule #2 but will likely do so based on your response. I lost several hundred CC payment transactions, yesterday, and was bombarded by service desk tickets until I finally noticed the emails from my appliance stating the obvious. I was actually looking at the firewall live logs and just happened to notice a strange record pass by related to a suspicious packet being blocked so that led me back to the IPS which I disabled promptly. Happy that we had a workaround which I implemented about 3:00am this morning and happy we have a pattern fix but leaving my rule #2 disabled just in case it sneaks back in later. 

    I too appreciate the quick response (as always) I get from the Community. Thanks to everyone that participated.

  • 0 in reply to FloSupport

    Update 5-30-2019
    Sophos has rolled back the IPSBundle to the previous pattern (IPSBundle 9.199). The fixed pattern version is 9-201.
    Users should verify that their UTM has updated to this new pattern.

    To verify that the UTM has the correct ipsbundle2 version:

    • rpm -qa | grep ipsbundle2
      u2d-ipsbundle2-9-201

    Reference: https://community.sophos.com/kb/en-us/134163

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Unfiltered HTML