How can we test the IPS?

I know about the SophosTester, HighScore, FakeDrop, sophostest.com and MTD.vbs.

How can we test the IPS and how should an IPS detection look like?

  • Hi William,

    Excellent question. I will post an article on how to test IPS later today.

    Vince

  • In reply to Vincent Vanbiervliet:

    What about if the test doesn't trigger any detection?

    I've disabled the windows firewall, tried the script both without argument and in server mode.
    I can see the connection coming in like "nc" style on the sever side. No alert on sophos endpoint

    The version installed is:

    Thanks

  • In reply to Fabio Puricelli:

    Hi Fabio, that is really weird. You seem to have to correct Core Agent version. 

    There are two obvious things we can check:

    • Has the machine been added to the list of devices that are participating in the EAP? (if that screenshot is from the client that doesn't do the detection, then that seems to be the case)
    • Are you sure you have not switched off the IPS setting?

    Vince

  • In reply to Vincent Vanbiervliet:

    Hi Vincent,

    the machine was added to eap list of machine partecipating. I though the "BETA" version in the core agent line was exactly stating that.

    The screenshot has been taken exactly from that machine. why are you saying "if that screenshot is from the client that doesn't do the detection, then that seems to be the case"?

    The ips feature was not changed as tamper protection is in place. Anyway, I've checked and it appears to be in place.

    BR

    fabio

  • In reply to Fabio Puricelli:

    Hi Fabio,

    Thanks for your answer!

    As for the IPS setting, I was referring to the setting in Central. It is possible you've disabled it here:

    I will check what we can do, and will come back to you.

    Vince

  • In reply to Vincent Vanbiervliet:

    Hi Vincent,

    that make sense but unfortunately that's not the problem:

     

    Any other idea?

    br

    fabio

  • In reply to Fabio Puricelli:

    Hi Fabio,

    I've sent you a PM.

    Vince

  • In reply to Fabio Puricelli:

    Hi Fabio,

    Please can you advise which OS you are running on the machine in question?

    Regards,

    Stephen

  • In reply to StephenMcKay:

    Hi Stephen, sure. Here it is:

     

    BR

    Fabio

  • In reply to Fabio Puricelli:

    Hi any thoughts on this?

    br

    f

  • In reply to Fabio Puricelli:

    Hi Fabio,

    Please can you send me details of the Threat Protection policy via PM? Please include all of the settings, not just the IPS settings.

    Regards,

    Stephen

  • In reply to StephenMcKay:

    I also can't get an alert.  I've tested outgoing using the sample Python script as follows:

    C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type tcp
    sending TCP test pattern to ipstest.sophostest.com:54445

    C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type udp
    sending UDP test pattern to ipstest.sophostest.com:54445

    C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py --type icmp
    sending ICMP test pattern to ipstest.sophostest.com:54445

    I see the packets going out in Wireshark:

    I can see under the key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlags
    ips.available
    ips.filter.inbound
    ips.filter.outbound

    are all set to 1.

    In:
    C:\ProgramData\Sophos\Sophos Network Threat Protection\Config\policy.xml

    <ips>
    <enabled>true</enabled>
    <exclusions/>
    </ips>

    In:

    C:\ProgramData\Sophos\Sophos Network Threat Protection\IPS\system.rules

    drop tcp any any -> any 54445 (msg:"FILE-OTHER EP-IPS TCP Test Passed"; file_data;dsize:33; content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777000;)

    drop udp any any -> any 54445 (msg:"FILE-OTHER EP-IPS UDP Test Passed"; file_data;dsize:33;content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777001;)

    drop icmp any any -> any any (msg:"FILE-OTHER EP-IPS ICMP Test Passed"; file_data; dsize:33;content: "SOPHOS ENDPOINT IPS TEST PATTERN";metadata:product Eicar,cve_ts -,vuln none,cvss unknown,vendor misc,sfoscat 31,cves -,mapp unknown,cvss_pr 10,vuln_pr 10,score 85,vendor_pr 2,cve_pr 10; sid:7777002;)

    The conent looks good and so does the length of 33.

    The log of NTP says:
    a 2019-12-21T00:00:00.870Z [18784:5384] - IPS feature flags updated, ips.available: enabled, ips.filter.inbound: enabled, ips.filter.outbound: enabled

    a 2019-12-21T00:00:01.465Z [18784:16604] - By policy and feature flags, IPS is enabled
    a 2019-12-21T00:00:06.815Z [18784:10432] - Snort DAQ commencing interception: PID [12304] CompID [61515639]
    a 2019-12-21T00:00:06.822Z [18784:18796] - Setting Snort health status to GREEN

    Processes look good:

    I also tried the 'server' and 'client' mode of the script using the IP address of the interface and 127.0.0.1, e.g.

    Server
    C:\Python38-32>python C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py -s -a 192.168.0.41
    TCP server listening on 192.168.0.41:54445
    received connection from 192.168.0.41:2404

    Client
    PS C:\Python38-32> .\python.exe C:\Users\jak\Desktop\endpoint-sophos-ips-tester.py -a 192.168.0.41 --type tcp

    sending TCP test pattern to 192.168.0.41:54445

    No alert there either in Sophos UI or in the SntpService.log.

    Bit of a loss.

    Regards,
    Jak

     

    P.S. As the AMSI features is in the same EAP as IPS; the following PS command will test the AMSI feature throwing a detection:

    [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').getField('amsiinitfailed','nonpublic,static').setvalue($null,$true)

    Application Event log:

    Log Name: Application
    Source: Sophos System Protection
    Event ID: 42
    Task Category: Virus/spyware
    Level: Warning
    Description:
    Process "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" belongs to virus/spyware 'AMSI/Bypass-A'.

    $programdata%\Sophos\Endpoint Defense\Logs\SSP.log:
    I 2019-12-22T11:44:36.292Z Process with path C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe detected as AMSI/Bypass-A

  • In reply to jak:

    Hi jak - we'll look into it. Can you get an SDU please.

    Vince