I know about the SophosTester, HighScore, FakeDrop, sophostest.com and MTD.vbs.
How can we test the IPS and how should an IPS detection look like?
I know about the SophosTester, HighScore, FakeDrop, sophostest.com and MTD.vbs.
How can we test the IPS and how should an IPS detection look like?
I also can't get an alert. I've tested outgoing using the sample Python script as follows:
C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type tcp
sending TCP test pattern to ipstest.sophostest.com:54445
C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type udp
sending UDP test pattern to ipstest.sophostest.com:54445
C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type icmp
sending ICMP test pattern to ipstest.sophostest.com:54445
I see the packets going out in Wireshark:
I can see under the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlags
ips.available
ips.filter.inbound
ips.filter.outbound
are all set to 1.
In:
C:\ProgramData\Sophos\Sophos Network Threat Protection\Config\policy.xml
<ips>
<enabled>true</enabled>
<exclusions/>
</ips>
In:
C:\ProgramData\Sophos\Sophos Network Threat Protection\IPS\system.rules
drop tcp any any -> any 54445 (msg:"FILE-OTHER EP-IPS TCP Test Passed"; file_data;dsize:33; content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777000;)
drop udp any any -> any 54445 (msg:"FILE-OTHER EP-IPS UDP Test Passed"; file_data;dsize:33;content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777001;)
drop icmp any any -> any any (msg:"FILE-OTHER EP-IPS ICMP Test Passed"; file_data; dsize:33;content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777002;)
The conent looks good and so does the length of 33.
The log of NTP says:
a 2019-12-21T00:00:00.870Z [18784:5384] - IPS feature flags updated, ips.available: enabled, ips.filter.inbound: enabled, ips.filter.outbound: enabled
a 2019-12-21T00:00:01.465Z [18784:16604] - By policy and feature flags, IPS is enabled
a 2019-12-21T00:00:06.815Z [18784:10432] - Snort DAQ commencing interception: PID [12304] CompID [61515639]
a 2019-12-21T00:00:06.822Z [18784:18796] - Setting Snort health status to GREEN
Processes look good:
I also tried the 'server' and 'client' mode of the script using the IP address of the interface and 127.0.0.1, e.g.
Server
C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py -s -a 192.168.0.41
TCP server listening on 192.168.0.41:54445
received connection from 192.168.0.41:2404
Client
PS C:\Python38-32> .\python.exe C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py -a 192.168.0.41 --type tcp
sending TCP test pattern to 192.168.0.41:54445
No alert there either in Sophos UI or in the SntpService.log.
Bit of a loss.
Regards,
Jak
P.S. As the AMSI features is in the same EAP as IPS; the following PS command will test the AMSI feature throwing a detection:
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').getField('amsiinitfailed','nonpublic,static').setvalue($null,$true)
Application Event log:
Log Name: Application
Source: Sophos System Protection
Event ID: 42
Task Category: Virus/spyware
Level: Warning
Description:
Process "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" belongs to virus/spyware 'AMSI/Bypass-A'.
$programdata%\Sophos\Endpoint Defense\Logs\SSP.log:
I 2019-12-22T11:44:36.292Z Process with path C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe detected as AMSI/Bypass-A
