Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 14076 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Exception not working

twister5800

Hi,

I have problems with IPS in UTM, the UTM handles IPSEC traffic with VEEAM backup and Replication, and triggers this:

2019:09:10-02:55:51 mail-2 snort[13000]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-OTHER Ransomware SamSam variant detected" group="500" srcip="192.168.11.20" dstip="192.168.10.31" proto="6" srcport="902" dstport="53906" sid="48814" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2019:09:10-02:58:23 mail-2 snort[13000]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-OTHER Ransomware SamSam variant detected" group="500" srcip="192.168.11.20" dstip="192.168.10.31" proto="6" srcport="902" dstport="53946" sid="48814" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
 
192.168.11.20 is a VMWARE ESXi server
192.168.10.31 is a Veeam Server (Windows)
 
I have added this exception in the affected UTM:
 
But nothing helps :-(
 


This thread was automatically locked due to age.
  • 0 in reply to twister5800

    Hi Martin,

     

    very interesting. do you know if that concerned only IPS exception or maybe tcp/udp syn flood exception also?

     

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to zaphod

    Hey guys,

    before I create a new Topic I will add my question here because it should fit.

    We have the same issue what seems a bit weird. The configuration is for me really easy to understand but it doesnt work.

     

    Our example:

    2020:05:13-10:55:36 sophos-1 ulogd[29081]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="Extern MAC" dstmac="Our MAC" srcip="Extern Public IP" dstip="Our Public IP" proto="17" length="132" tos="0x00" prec="0x00" ttl="59" srcport="691" dstport="27270"

     

    In Short:

    [...]name="UDP flood detected" [...] srcip="Extern Public IP" dstip="Our Public IP" [..] srcport="691" dstport="27270"

     

    So for my understanding I have to set a rule like:

    --------------------------------------------------------------------------------------------

    Action -> Skip UDP Flood Protection

    Coming from these source... -> Extern Public IP

    AND

    Going to these destination... -> Our Public IP (Tried without this, too)

    AND

    Using these services -> 691

    ---------------------------------------------------------------------------------------------

     

    For my understanding it's exaclty what the IPS is tend to block. But it doesnt seems to be better.

    When I now add the "destination port" 27270, it start to work. But the problem is, that in some cases the destination port can vary.

     

    Is that behaviour correctly "by design" that it only works while adding source "and" destination ports?

     

    Thanks.

    Flo

  • 0 in reply to Florian Bartsch

    Hallo Flo,

    It look like you need a single, new Service definition like msexch-routing response = UDP 691->1:65535.

    Did that work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hey Bob,

    I believe I never noticed the exatly description of the single entries in a service defination because "source port" is always fixed in a new Definition to "1:65535". So I dont cared about it cause it works. -.-'

    Do you mean (yeah I know its what the logging is saying after you gave me the hint xD) when I switch both entries, it should work?

     

     

     

  • 0 in reply to Florian Bartsch

    Genau so, Flo !

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Moin Bob,

     

    Danke.

    Das war dumm. :-D

    LG,

    Flo

  • 0

    Hey Martin,

    from which log files is that error?

    "A Network Trojan was Detected" isnt that kind of warning which you should ignore and easly add an exception for it. =/

    Sometimes it can help to restart the IPS module cause some exceptions only will be used after the affected for new connections I believe.

     

    Greetings,

    Flo

  • 0 in reply to Florian Bartsch

    Hi Flo,

     

    From IPS log:

     

    "sub="ips"

    Triggerede ADv. protection alerts

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

Unfiltered HTML