Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 3560 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

skype block stop rsync, too

MMU
Hi,
we are using rsync protocol to replicate all data from our sites.
If we enable the application control to drop all skype users in our network the rsync will be detected as skype and dropped?

Thank you.
Michael

rsync: read error: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(769) [Receiver=3.0.7]


This thread was automatically locked due to age.
  • 0
    Which version are you running?
  • 0
    Also, please post the relevant entries from the IPS log (don't use the Live Log, it's condensed).

    Barry
  • 0 in reply to BarryG
    Thank you here is the log:
    Firmware version:  9.004-33 
    Pattern version:  39260  


    2012:11:29-13:23:09 asg afcd[26002]: loaded plugin '/var/sec/chroot-afc/lib/afc/vineyard.so'

    2012:11:29-13:23:09 asg afcd[26002]: _afc_cfg_file_plugin_parse: 721 protocols registered

    2012:11:29-13:23:09 asg afcd[26008]: AFC ready.

    2012:11:29-13:24:34 asg ulogd[4275]: id="2019" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Block" action="drop" fwrule="1" outitf="eth2.132" mark="0x1c0" app="448" srcmac="0:20:e3:7:cd[:D]1" srcip="100.100.99.20" dstip="145.23.17.11" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="3486" dstport="888" tcpflags="ACK PSH" 

    2012:11:29-13:25:06 asg ulogd[4275]: id="2019" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Block" action="drop" fwrule="1" outitf="eth4.129" mark="0x1c0" app="448" srcmac="0:20:e3:7:cd[:D]3" srcip="100.100.99.20" dstip="145.23.17.18" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="3499" dstport="873" tcpflags="ACK PSH" 

    2012:11:29-13:26:19 asg ulogd[4275]: id="2019" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Block" action="drop" fwrule="1" outitf="eth1" mark="0x21c0" app="448" srcmac="0:20:e3:7:cd[:D]0" srcip="15.5.138.17" dstip="82.238.243.41" proto="6" length="194" tos="0x00" prec="0x00" ttl="64" srcport="48579" dstport="443" tcpflags="ACK PSH" 


    I have also an another issue:
    There must be a new pattern release for the IPS:
    The traffic from our citrix gateway V5 (http) will be blocked. 


    2012:11:29-13:10:13 asg snort[24242]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BLACKLIST User-Agent known malicious user agent - IEEXPLORE.EXE" group="500" srcip="145.23.17.17" dstip="10.100.100.100" proto="6" srcport="39494" dstport="80" sid="7534" class="Misc activity" priority="3" generator="1" msgid="0" 

    2012:11:29-13:11:32 asg snort[24242]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BLACKLIST User-Agent known malicious user agent - IEEXPLORE.EXE" group="500" srcip="145.23.17.17" dstip="10.100.100.100" proto="6" srcport="36142" dstport="80" sid="7534" class="Misc activity" priority="3" generator="1" msgid="0" 

    2012:11:29-13:15:40 asg snort[24242]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BLACKLIST User-Agent known malicious user agent - IEEXPLORE.EXE" group="500" srcip="145.23.17.17" dstip="10.100.100.100" proto="6" srcport="38673" dstport="80" sid="7534" class="Misc activity" priority="3" generator="1" msgid="0" 

    2012:11:29-13:17:10 asg snort[24242]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BLACKLIST User-Agent known malicious user agent - IEEXPLORE.EXE" group="500" srcip="145.23.17.17" dstip="10.100.100.100" proto="6" srcport="38675" dstport="80" sid="7534" class="Misc activity" priority="3" generator="1" msgid="0" 
  • 0
    Hi Michael,

    I think, above your Block rule, you'll need an ALLOW rule for the IPs that you're rsyncing with.  If that doesn't work, how about adding them to the 'Skip hosts/nets' list?

    I've never had much luck getting Citrix server to play well with others, so I think you'll need to add an Exception for it.

    Cheers - Bob
  • 0 in reply to BAlfson
    Hi,

    Yes, I have this fixed with an exception.
    I just wanted to say that the IPS has previously run without problems.
    This issue causes probably by an pattern update around 28-30.11.12?

    Does anyone have an idea about the wrong skype rsync detection?
    Thank you
    Micha
  • 0
    Hi Micha,

    if you could supply a pcap with some of the falsely classified rsync traffic it could help to reproduce the problem. This is required for fixing it.

    Doing

    tcpdump -i ethX -s0 -w rsync_as_skype.pcap -v


    on the right interface and posting the pcap would be nice.

    Best regards,
  • 0
    I'm noticing the same sort of thing.  rsync traffice is identified as Skype traffic in the flow monitor.