This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS keeps "reloading" and I have no daily threat logs for IPS anymore. There are "backdoor" entries in the IPS log.

I have some problem with my IPS. Whenever I go to the Daily Log files there is never any logs available for the Intrusion prevention system. I must go to the log archive and when I view it, there are never any detected portscans, UDP floods, or warnings, which I find puzzling. Instead I have a lot of confusing log entries, like rules not being used.  I have all attack patterns selected, with no rule age, and extra warnings for malware enabled. The only time I ever see any logs is when I do a port scan on myself from Shield's Up.  

 

The way the IPS logs makes it look like something is going wrong. There's no log that says "hey, everything is fine!" to let you know it's working right. It's all warnings. Is there anything suspicious with the logs??? Is there any log entry or Telnet command that is used as a way to verify that everything is working OK?

 

I get thousands of entries in the log that say 

DynamicPlugin: Rule [3:XXXXX] not enabled in configuration, rule will not be used. 

The last of the logs are from yesterday.

 +-----------------------[detection-filter-config]------------------------------
2018:06:15-12:20:33 mysophosutm snort[15925]: | memory-cap : 1048576 bytes
2018:06:15-12:20:33 mysophosutm snort[15925]: +-----------------------[detection-filter-rules]-------------------------------
2018:06:15-12:20:33 mysophosutm snort[15925]: -------------------------------------------------------------------------------
2018:06:15-12:20:33 mysophosutm snort[15925]: 
2018:06:15-12:20:33 mysophosutm snort[15925]: +-----------------------[rate-filter-config]-----------------------------------
2018:06:15-12:20:33 mysophosutm snort[15925]: | memory-cap : 1048576 bytes
2018:06:15-12:20:33 mysophosutm snort[15925]: +-----------------------[rate-filter-rules]------------------------------------
2018:06:15-12:20:33 mysophosutm snort[15925]: | none
2018:06:15-12:20:33 mysophosutm snort[15925]: -------------------------------------------------------------------------------
2018:06:15-12:20:33 mysophosutm snort[15925]: 
2018:06:15-12:20:33 mysophosutm snort[15925]: +-----------------------[event-filter-config]----------------------------------
2018:06:15-12:20:33 mysophosutm snort[15925]: | memory-cap : 1048576 bytes
2018:06:15-12:20:33 mysophosutm snort[15925]: +-----------------------[event-filter-global]----------------------------------
2018:06:15-12:20:33 mysophosutm snort[15925]: +-----------------------[event-filter-local]-----------------------------------
2018:06:15-12:20:33 mysophosutm snort[15925]: | none
2018:06:15-12:20:33 mysophosutm snort[15925]: +-----------------------[suppression]------------------------------------------
2018:06:15-12:20:33 mysophosutm snort[15925]: | none
2018:06:15-12:20:33 mysophosutm snort[15925]: -------------------------------------------------------------------------------
2018:06:15-12:20:33 mysophosutm snort[15925]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
2018:06:15-12:20:33 mysophosutm snort[15925]:       Max Expected Streams: 15
2018:06:15-12:20:33 mysophosutm snort[15925]: Verifying Preprocessor Configurations!
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.hpj' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.maki' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.macho64le' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.r' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.nab' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'soliddb' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.fpx' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.xz' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.pkp' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.3dm' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'synergy' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.wmf' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.engtesselate' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.blend.little.32' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.cnt' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.reg' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.rss' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'qualcom.worldmail.ok' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.fon' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.cur' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.eps' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.hta' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.m4v' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.dbp' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.aiff' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.ani' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.tnef' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'websocket' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'AOLAdmin1.1.connection' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.xul' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.bak' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.hhk' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'backdoor.cybernetic.1.62.rev.conn.1' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.vap' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.usk' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.pecompact' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.regf' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.bz2' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'backdoor.NetDevil.conn.step1' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.rmf' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.rt' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.collada' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'pop3.stat' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.eot' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.jnlp' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'GhostVoice_InitConnection_withpassword' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'vnc.server.auth.types' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'lp.cascade' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.job' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.xm' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.flc' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'acunetix-scan' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.dat' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.rar' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.eml' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'smb.req.ascii' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.amf' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.msi' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.sln' is checked but not ever set.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.cell' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'foscam_ua' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.motn' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.qcp' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'oracle.connect' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.gz' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: WARNING: flowbits key 'file.dir' is set but not ever checked.
2018:06:15-12:20:33 mysophosutm snort[15925]: 556 out of 1024 flowbits in use.
2018:06:15-12:21:31 mysophosutm snort[15926]: 


[ Port Based Pattern Matching Memory ]
2018:06:15-12:21:31 mysophosutm snort[15926]: +-[AC-BNFA Search Info Summary]------------------------------
2018:06:15-12:21:31 mysophosutm snort[15926]: | Instances        : 2409
2018:06:15-12:21:31 mysophosutm snort[15926]: | Patterns         : 1043555
2018:06:15-12:21:31 mysophosutm snort[15926]: | Pattern Chars    : 22155916
2018:06:15-12:21:31 mysophosutm snort[15926]: | Num States       : 14561617
2018:06:15-12:21:31 mysophosutm snort[15926]: | Num Match States : 1620906
2018:06:15-12:21:31 mysophosutm snort[15926]: | Memory           :   404.44Mbytes
2018:06:15-12:21:31 mysophosutm snort[15926]: |   Patterns       :   45.01M
2018:06:15-12:21:31 mysophosutm snort[15926]: |   Match Lists    :   190.32M
2018:06:15-12:21:31 mysophosutm snort[15926]: |   Transitions    :   168.54M
2018:06:15-12:21:31 mysophosutm snort[15926]: +-------------------------------------------------
2018:06:15-12:21:31 mysophosutm snort[15926]: [ Number of null byte prefixed patterns trimmed: 23973 ]
2018:06:15-12:21:31 mysophosutm snort[15926]: WARNING: normalizations disabled because DAQ can't replace packets.
2018:06:15-12:21:31 mysophosutm snort[15926]: Session Reload: Reference Count Non-zero for old configuration.
2018:06:15-12:21:31 mysophosutm snort[15926]: 
2018:06:15-12:21:31 mysophosutm snort[15926]:         --== Reload Complete ==--
2018:06:15-12:21:31 mysophosutm snort[15926]: 
2018:06:15-12:21:32 mysophosutm snort[15925]: 
2018:06:15-12:21:32 mysophosutm snort[15925]: [ Port Based Pattern Matching Memory ]
2018:06:15-12:21:32 mysophosutm snort[15925]: +-[AC-BNFA Search Info Summary]------------------------------
2018:06:15-12:21:32 mysophosutm snort[15925]: | Instances        : 2409
2018:06:15-12:21:32 mysophosutm snort[15925]: | Patterns         : 1043555
2018:06:15-12:21:32 mysophosutm snort[15925]: | Pattern Chars    : 22155916
2018:06:15-12:21:32 mysophosutm snort[15925]: | Num States       : 14561617
2018:06:15-12:21:32 mysophosutm snort[15925]: | Num Match States : 1620906
2018:06:15-12:21:32 mysophosutm snort[15925]: | Memory           :   404.44Mbytes
2018:06:15-12:21:32 mysophosutm snort[15925]: |   Patterns       :   45.01M
2018:06:15-12:21:32 mysophosutm snort[15925]: |   Match Lists    :   190.32M
2018:06:15-12:21:32 mysophosutm snort[15925]: |   Transitions    :   168.54M
2018:06:15-12:21:32 mysophosutm snort[15925]: +-------------------------------------------------
2018:06:15-12:21:32 mysophosutm snort[15925]: [ Number of null byte prefixed patterns trimmed: 23973 ]
2018:06:15-12:21:33 mysophosutm snort[15925]: WARNING: normalizations disabled because DAQ can't replace packets.
2018:06:15-12:21:33 mysophosutm snort[15925]: Session Reload: Reference Count Non-zero for old configuration.
2018:06:15-12:21:33 mysophosutm snort[15925]: 
2018:06:15-12:21:33 mysophosutm snort[15925]:         --== Reload Complete ==--
2018:06:15-12:21:33 mysophosutm snort[15925]: 
2018:06:15-12:21:33 mysophosutm snort[15927]: 
2018:06:15-12:21:33 mysophosutm snort[15927]: [ Port Based Pattern Matching Memory ]
2018:06:15-12:21:33 mysophosutm snort[15927]: +-[AC-BNFA Search Info Summary]------------------------------
2018:06:15-12:21:33 mysophosutm snort[15927]: | Instances        : 2409
2018:06:15-12:21:33 mysophosutm snort[15927]: | Patterns         : 1043555
2018:06:15-12:21:33 mysophosutm snort[15927]: | Pattern Chars    : 22155916
2018:06:15-12:21:33 mysophosutm snort[15927]: | Num States       : 14561617
2018:06:15-12:21:33 mysophosutm snort[15927]: | Num Match States : 1620906
2018:06:15-12:21:33 mysophosutm snort[15927]: | Memory           :   404.44Mbytes
2018:06:15-12:21:33 mysophosutm snort[15927]: |   Patterns       :   45.01M
2018:06:15-12:21:33 mysophosutm snort[15927]: |   Match Lists    :   190.32M
2018:06:15-12:21:33 mysophosutm snort[15927]: |   Transitions    :   168.54M
2018:06:15-12:21:33 mysophosutm snort[15927]: +-------------------------------------------------
2018:06:15-12:21:33 mysophosutm snort[15927]: [ Number of null byte prefixed patterns trimmed: 23973 ]
2018:06:15-12:21:34 mysophosutm snort[15927]: WARNING: normalizations disabled because DAQ can't replace packets.
2018:06:15-12:21:34 mysophosutm snort[15927]: Session Reload: Reference Count Non-zero for old configuration.
2018:06:15-12:21:34 mysophosutm snort[15927]: 
2018:06:15-12:21:34 mysophosutm snort[15927]:         --== Reload Complete ==--
2018:06:15-12:21:34 mysophosutm snort[15927]: 
2018:06:15-12:21:34 mysophosutm snort[15928]: 
2018:06:15-12:21:34 mysophosutm snort[15928]: [ Port Based Pattern Matching Memory ]
2018:06:15-12:21:34 mysophosutm snort[15928]: +-[AC-BNFA Search Info Summary]------------------------------
2018:06:15-12:21:34 mysophosutm snort[15928]: | Instances        : 2409
2018:06:15-12:21:34 mysophosutm snort[15928]: | Patterns         : 1043555
2018:06:15-12:21:34 mysophosutm snort[15928]: | Pattern Chars    : 22155916
2018:06:15-12:21:34 mysophosutm snort[15928]: | Num States       : 14561617
2018:06:15-12:21:34 mysophosutm snort[15928]: | Num Match States : 1620906
2018:06:15-12:21:34 mysophosutm snort[15928]: | Memory           :   404.44Mbytes
2018:06:15-12:21:34 mysophosutm snort[15928]: |   Patterns       :   45.01M
2018:06:15-12:21:34 mysophosutm snort[15928]: |   Match Lists    :   190.32M
2018:06:15-12:21:34 mysophosutm snort[15928]: |   Transitions    :   168.54M
2018:06:15-12:21:34 mysophosutm snort[15928]: +-------------------------------------------------
2018:06:15-12:21:34 mysophosutm snort[15928]: [ Number of null byte prefixed patterns trimmed: 23973 ]
2018:06:15-12:21:34 mysophosutm snort[15928]: WARNING: normalizations disabled because DAQ can't replace packets.
2018:06:15-12:21:34 mysophosutm snort[15928]: Session Reload: Reference Count Non-zero for old configuration.
2018:06:15-12:21:34 mysophosutm snort[15928]: 
2018:06:15-12:21:34 mysophosutm snort[15928]:         --== Reload Complete ==--
2018:06:15-12:21:34 mysophosutm snort[15928]: 










This thread was automatically locked due to age.
Parents
  • If this is a home-use situation, Alan, I'd say this is normal.  IPs assigned dynamically by Comcast, Cox, Time Warner, Verizon, etc. are unlikely to be targeted, especially if you have no DNATs that lead to internal servers.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Well actually I do have a DNAT rule setup for port forwarding that I enable only when I need it, and I have remote access SSL VPN enabled. I'm guessing these flowbits are file extensions or hostnames?

  • Just all normal lines from a chatty program.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data