Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 5813 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blackhole route for IP, still having portscan alerts

Geert Verstrepen

Hi,

 

i get more and more frequent portscan alerts running for multiple hours.

I would like to block them manually on an IP basis.

I created a network group populated with bad IP addresses and implemented this as a blackhole route, but still having the portscan alerts.

 

Am i missing something ?



This thread was automatically locked due to age.
  • 0

    additionally add the badguys group to IPS exeptions for portscans.

    I prefer a blackhole DNAT because a blackhole route does not catch access to local services

  • 0 in reply to papa_

    Isn't routing the 1st process ?

    I also tried the DNAT solution, natting destination to 240.0.0.0, but still had portscan events.

  • 0

    Hi Geert,

    Alerts are generated because of the configured portscan settings in UTM:  Network Security -> Intrusion Protection -> Anti-Portscan Detection.

    Limit Logging - Enable this option to limit logging. A portscan detection can generate many logs while a portscan is being carried out. Selecting this option will restrict logging to five lines per second. 6. Click Apply to save the settings.

    A portscan detection can generate many logs while a portscan is being carried out. Selecting this option will restrict logging to five lines per second.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi,

     

    i understand where the e-mail alerts come from and i have activated the log restriction.

    Anyhow, sometimes we get massive port scanning from 1 IP during a very long period of time.

    What i would like is to maintain a blacklist of IP's of which traffic is immediately dropped (no processing) as such generating no alerts / events.

     

    I hope this clarifies my question.

  • 0 in reply to Geert Verstrepen

    Hi Greet,

    Priority of Intrusion Prevention module comes before DNAT i.e., pre-routing IP table. Hence, the packet arriving on the UTM interface will be checked via Intrusion Prevention and alert will be generated before the traffic is mapped towards the blackhole. That is because of the architectural behavior. Here we are not actually dropping(blackhole) the traffic instead, we are mapping the traffic towards a non-existing IP address. 

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML