How can we test the IPS?

See https://community.sophos.com/products/intercept/early-access-program/f/recommended-reads/116135/how-to-test-ips for how to test IPS.

What about if the test doesn't trigger any detection?

I've disabled the windows firewall, tried the script both without argument and in server mode.
I can see the connection coming in like "nc" style on the sever side. No alert on sophos endpoint

The version installed is:

Thanks

Hi Fabio, that is really weird. You seem to have to correct Core Agent version. 

There are two obvious things we can check:

• Has the machine been added to the list of devices that are participating in the EAP? (if that screenshot is from the client that doesn't do the detection, then that seems to be the case)
• Are you sure you have not switched off the IPS setting?

Vince

Hi Fabio, that is really weird. You seem to have to correct Core Agent version. 

There are two obvious things we can check:

• Has the machine been added to the list of devices that are participating in the EAP? (if that screenshot is from the client that doesn't do the detection, then that seems to be the case)
• Are you sure you have not switched off the IPS setting?

Vince

Hi Vincent,

the machine was added to eap list of machine partecipating. I though the "BETA" version in the core agent line was exactly stating that.

The screenshot has been taken exactly from that machine. why are you saying "if that screenshot is from the client that doesn't do the detection, then that seems to be the case"?

The ips feature was not changed as tamper protection is in place. Anyway, I've checked and it appears to be in place.

BR

fabio

Hi Fabio,

Thanks for your answer!

As for the IPS setting, I was referring to the setting in Central. It is possible you've disabled it here:

I will check what we can do, and will come back to you.

Vince

Hi Vincent,

that make sense but unfortunately that's not the problem:

Any other idea?

br

fabio

Hi Fabio,

I've sent you a PM.

Vince

Hi Fabio,

Please can you advise which OS you are running on the machine in question?

Regards,

Stephen

Hi Stephen, sure. Here it is:

BR

Fabio

Hi any thoughts on this?

br

f

Hi Fabio,

Please can you send me details of the Threat Protection policy via PM? Please include all of the settings, not just the IPS settings.

Regards,

Stephen

I also can't get an alert.  I've tested outgoing using the sample Python script as follows:

C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type tcp
sending TCP test pattern to ipstest.sophostest.com:54445

C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type udp
sending UDP test pattern to ipstest.sophostest.com:54445

C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type icmp
sending ICMP test pattern to ipstest.sophostest.com:54445

I see the packets going out in Wireshark:

I can see under the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlags
ips.available
ips.filter.inbound
ips.filter.outbound

are all set to 1.

In:
C:\ProgramData\Sophos\Sophos Network Threat Protection\Config\policy.xml

<ips>
<enabled>true</enabled>
<exclusions/>
</ips>

In:

C:\ProgramData\Sophos\Sophos Network Threat Protection\IPS\system.rules

drop tcp any any -> any 54445 (msg:"FILE-OTHER EP-IPS TCP Test Passed"; file_data;dsize:33; content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777000;)

drop udp any any -> any 54445 (msg:"FILE-OTHER EP-IPS UDP Test Passed"; file_data;dsize:33;content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777001;)

drop icmp any any -> any any (msg:"FILE-OTHER EP-IPS ICMP Test Passed"; file_data; dsize:33;content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777002;)

The conent looks good and so does the length of 33.

The log of NTP says:
a 2019-12-21T00:00:00.870Z [18784:5384] - IPS feature flags updated, ips.available: enabled, ips.filter.inbound: enabled, ips.filter.outbound: enabled

a 2019-12-21T00:00:01.465Z [18784:16604] - By policy and feature flags, IPS is enabled
a 2019-12-21T00:00:06.815Z [18784:10432] - Snort DAQ commencing interception: PID [12304] CompID [61515639]
a 2019-12-21T00:00:06.822Z [18784:18796] - Setting Snort health status to GREEN

Processes look good:

I also tried the 'server' and 'client' mode of the script using the IP address of the interface and 127.0.0.1, e.g.

Server
C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py -s -a 192.168.0.41
TCP server listening on 192.168.0.41:54445
received connection from 192.168.0.41:2404

Client
PS C:\Python38-32> .\python.exe C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py -a 192.168.0.41 --type tcp
sending TCP test pattern to 192.168.0.41:54445

No alert there either in Sophos UI or in the SntpService.log.

Bit of a loss.

Regards,
Jak

P.S. As the AMSI features is in the same EAP as IPS; the following PS command will test the AMSI feature throwing a detection:

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').getField('amsiinitfailed','nonpublic,static').setvalue($null,$true)

Application Event log:

Log Name: Application
Source: Sophos System Protection
Event ID: 42
Task Category: Virus/spyware
Level: Warning
Description:
Process "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" belongs to virus/spyware 'AMSI/Bypass-A'.

$programdata%\Sophos\Endpoint Defense\Logs\SSP.log:
I 2019-12-22T11:44:36.292Z Process with path C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe detected as AMSI/Bypass-A

Hi jak - we'll look into it. Can you get an SDU please.

Vince