How can we test the IPS?

I know about the SophosTester, HighScore, FakeDrop, sophostest.com and MTD.vbs.

How can we test the IPS and how should an IPS detection look like?

Parents Reply Children
  • I also can't get an alert.  I've tested outgoing using the sample Python script as follows:

    C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type tcp
    sending TCP test pattern to ipstest.sophostest.com:54445

    C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type udp
    sending UDP test pattern to ipstest.sophostest.com:54445

    C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type icmp
    sending ICMP test pattern to ipstest.sophostest.com:54445

    I see the packets going out in Wireshark:

    I can see under the key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlags
    ips.available
    ips.filter.inbound
    ips.filter.outbound

    are all set to 1.

    In:
    C:\ProgramData\Sophos\Sophos Network Threat Protection\Config\policy.xml

    <ips>
    <enabled>true</enabled>
    <exclusions/>
    </ips>

    In:

    C:\ProgramData\Sophos\Sophos Network Threat Protection\IPS\system.rules

    drop tcp any any -> any 54445 (msg:"FILE-OTHER EP-IPS TCP Test Passed"; file_data;dsize:33; content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777000;)

    drop udp any any -> any 54445 (msg:"FILE-OTHER EP-IPS UDP Test Passed"; file_data;dsize:33;content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777001;)

    drop icmp any any -> any any (msg:"FILE-OTHER EP-IPS ICMP Test Passed"; file_data; dsize:33;content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777002;)

    The conent looks good and so does the length of 33.

    The log of NTP says:
    a 2019-12-21T00:00:00.870Z [18784:5384] - IPS feature flags updated, ips.available: enabled, ips.filter.inbound: enabled, ips.filter.outbound: enabled

    a 2019-12-21T00:00:01.465Z [18784:16604] - By policy and feature flags, IPS is enabled
    a 2019-12-21T00:00:06.815Z [18784:10432] - Snort DAQ commencing interception: PID [12304] CompID [61515639]
    a 2019-12-21T00:00:06.822Z [18784:18796] - Setting Snort health status to GREEN

    Processes look good:

    I also tried the 'server' and 'client' mode of the script using the IP address of the interface and 127.0.0.1, e.g.

    Server
    C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py -s -a 192.168.0.41
    TCP server listening on 192.168.0.41:54445
    received connection from 192.168.0.41:2404

    Client
    PS C:\Python38-32> .\python.exe C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py -a 192.168.0.41 --type tcp

    sending TCP test pattern to 192.168.0.41:54445

    No alert there either in Sophos UI or in the SntpService.log.

    Bit of a loss.

    Regards,
    Jak

     

    P.S. As the AMSI features is in the same EAP as IPS; the following PS command will test the AMSI feature throwing a detection:

    [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').getField('amsiinitfailed','nonpublic,static').setvalue($null,$true)

    Application Event log:

    Log Name: Application
    Source: Sophos System Protection
    Event ID: 42
    Task Category: Virus/spyware
    Level: Warning
    Description:
    Process "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" belongs to virus/spyware 'AMSI/Bypass-A'.

    $programdata%\Sophos\Endpoint Defense\Logs\SSP.log:
    I 2019-12-22T11:44:36.292Z Process with path C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe detected as AMSI/Bypass-A

  • Hi jak - we'll look into it. Can you get an SDU please.

    Vince