Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 5587 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS logs do not contain the rule number

DouglasFoster

Perhaps you have also noticed: 

  • The IPS GUI requires you to know the IPS rule number.
  • The IPS GUI does not provide a way to browse through the available rules by number and description.
  • The IPS logs do not contain the rule number.
  • Level 1 Support does not know how to determine a rule number from an IPS log.

Seems like the IPS log should include the IPS rule number.   

Please vote for my request to include the rule number in the log

https://ideas.sophos.com/forums/17359-sg-utm/suggestions/32170978-ips-log-files-need-the-ips-rule-id



This thread was automatically locked due to age.
Parents

  • I usually wait until the last response in a thread is over a day old, Doug, but I just happened to see your post and was curious.

    Here's a line from a client's UTM showing the Snort ID:

    2017:11:07-08:35:33 sophos-2 snort[5088]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BLACKLIST URI - known scanner tool muieblackcat" group="500" srcip="80.211.138.17" dstip="192.168.XXX.12" proto="6" srcport="47044" dstport="80" sid="21257" class="Detection of a Network Scan" priority="3" generator="1" msgid="0"

    Please PM or email me the case # so I can get the message to Support that there's a hole in their knowledge base.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Yes, I stand corrected.

    After I had given up, support came back with this useful link:

    https://lists.astaro.com,

    which includes a link to ASGV9-IPS-rules.html, which contains drill-down information for other links.

    Comparing the data from the logs to this file, the log fields SID and REASON are a matched pair, with SID being the code and REASON being the description text.  The log data matches the SID value in the left column of the reference document.  

    I wondered if GROUP And CLASS were also a matched pair, but I have multiple class values per group.  So I am unclear what Group represents.

    In fairness to support, I don't think they get many calls about log file interpretation, so it took a while for them to get up to speed on my questions.

    I'll try to figure out how to withdraw the idea.

     

Reply
  • in reply to BAlfson

    Yes, I stand corrected.

    After I had given up, support came back with this useful link:

    https://lists.astaro.com,

    which includes a link to ASGV9-IPS-rules.html, which contains drill-down information for other links.

    Comparing the data from the logs to this file, the log fields SID and REASON are a matched pair, with SID being the code and REASON being the description text.  The log data matches the SID value in the left column of the reference document.  

    I wondered if GROUP And CLASS were also a matched pair, but I have multiple class values per group.  So I am unclear what Group represents.

    In fairness to support, I don't think they get many calls about log file interpretation, so it took a while for them to get up to speed on my questions.

    I'll try to figure out how to withdraw the idea.

     

Children
No Data
Unfiltered HTML