Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 2 subscribers
  • Views 55849 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PUA-P2P Bittorrent uTP peer request

xenon2008
Hello,

Yesterday i have upgraded my ASG 120 from v8 to v9.000
When i start downloading utorrent the IPS Log show always "PUA-P2P Bittorrent uTP peer request".
A DNAT port incomming to my PC is already set up.

How can i allow Torrent downloading for one or two pcs only?


This thread was automatically locked due to age.
  • 0
    Hi,
    Do you have BitTorrent blocked? I believe it's under Application Control.

    Barry
  • 0 in reply to BarryG
    Hi BarryG,

    I have Application Control disabled.
    Maybe this is the solution? [:O]

    Xenon

    Edit:
    for Testing i have enabled the Appliction Control. I allowed "Torrent and Skype" for everybody with logging!
    But that's not.....

    For more testing i have disabled the Rule in IPS => Advanced. But not even that seems to work.. [:(]
  • 0
    With Application Control disabled,
    and the IPS rule disabled,
    does anything still show up in the IPS and PacketFilter logs?

    Barry
  • 0 in reply to BarryG
    Hello BarryG,

    With Application Control disabled and the IPS Rule "2101" disabled, in the ips log is shown: (for testing now with skype)

    2012:07:17-20:05:51 ******X-1 snort[28256]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PUA-P2P Skype client login" group="360" srcip="213.166.51.4" dstip="192.168.20.25" proto="6" srcport="33033" dstport="2980" sid="5999" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2012:07:17-20:05:53 ******X-1 snort[28256]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PUA-P2P Skype client login" group="360" srcip="213.166.51.4" dstip="192.168.20.25" proto="6" srcport="33033" dstport="2981" sid="5999" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2012:07:17-20:06:00 ******X-1 snort[28256]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PUA-P2P Skype client start up get latest version attempt" group="360" srcip="192.168.20.25" dstip="204.9.163.247" proto="6" srcport="2984" dstport="80" sid="5693" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2012:07:17-20:06:15 ******X-1 snort[28256]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PUA-P2P Skype client login" group="360" srcip="149.13.32.15" dstip="192.168.20.25" proto="6" srcport="13392" dstport="2987" sid="5999" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"
    2012:07:17-20:06:16 ******X-1 snort[28256]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PUA-P2P Skype client login" group="360" srcip="149.13.32.15" dstip="192.168.20.25" proto="6" srcport="13392" dstport="2988" sid="5999" class="Potential Corporate Privacy Violation" priority="1" generator="1" msgid="0"  



    with torrent its the same but only with "PUA-P2P Bittorrent uTP peer request" and a another Rule ID.
  • 0 in reply to xenon2008
    The rule you want to except is rule ID 5999 (the "sid")  -- that 2101, I think, in your case is the process ID.

    and 5963 if you wanna use Skype.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    Just curious,
    Bruce, should the IPS be blocking Skype (or BT) if application control is disabled, or is this a bug?

    Barry
  • 0
    IPS and application control are two separate subsystems, from different vendors, with different rule sets that they check against.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Has any progress been made on this?  I'm having the same issue with bittorrent traffic and UTM 9.

    Nevermind.  I found this in the v9 beta forums:  https://community.sophos.com/products/unified-threat-management/astaroorg/f/75/t/64550
  • 0
    You can disable the IPS rules mentioned.

    Barry
  • 0
    That's what I ended up doing.  It's working for now, but I don't like having to put an exception for a rule set that isn't listed anywhere.

    I guess we'll see what happens when the up2date comes out.
Unfiltered HTML