Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 10503 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort Exclusion not working

ThomasRottig

Hi,

 

I am trying to run speedtests via speedtest_cli on one of my boxes to regularly check the actually available speed my ISP provides.

Now the download speed is limited by my Sophos UTM box (9.510-4) by snort going to 100%. If I turn off IPS I get 400 MBit down as expected, with IPS on I am limited to 120MBit.

So since I have absolutely no idea which rule the speedtest triggers (and no idea how to identify it) I wanted to go the easy way and added an exclusion rule for my box (both ways):

Unfortunately despite this my speed is still limited by snort which I can easily verify by turning off IPS again.

Any idea why this would not work? Or an idea how to debug the IPS to find why it won't work? Or how to debug to find the rule that triggers on speedtest so I can turn that off?

 

Many hanks,

regards,

Thomas



This thread was automatically locked due to age.
  • 0

    Hi Thomas,

    when reviewing the IPS logs what do you see and what is shown in the daily reports? When looking at the Dashboard do you see indications of high packet counting the IPS?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    there is nothing in the log except normal snort reload messages.  I have not found how to turn on debugging for IPS yet, maybe that would give an indication.

    Not sure where I'd see connections on the dashboard, but the daily report is as follows:

     

    After the next run:

    That did not change which kind of implies that the host is excluded after all but its not (or only partially). O/C it could also mean that its not using data up until the moment the report is triggered but to an earlier time (midnight?), not sure about that.

     

    Any other ideas?

     

    Thanks,

    regards,

    Thomas

  • 0 in reply to ThomasRottig

    Your Exception is incorrect. 

    Check out the Online Help:

    Note – If you want to make an intrusion prevention exception for packets with the destination address of the gateway, selecting Any in the Destinations box will not succeed. You must instead select a definition that contains the gateway's IP address, for example the Internal (Address) or the external WAN address.

    Note – If you use a Sophos UTM proxy, an intrusion prevention exception has to reflect this: A proxy replaces the original source address of a packet with its own address. Thus, to except intrusion prevention for proxied packets, you need to add the appropriate interface address definition of Sophos UTM to the source Networksbox.

     

    Basically you are using ANY because it is Server to Any or Any to Server. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi,

    Thanks but I don't understand why this would be applicable to my situation. The box I am excepting is not the gateway, it's just a box in the network which is identified by hostname or ip.

    Could you elaborate? 

    Thanks

    Regards Thomas

  • 0 in reply to ThomasRottig

    Do you use the Proxy in UTM ? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Transparent  so I didn't think it would be applicable?

    Or is it?

  • 0 in reply to ThomasRottig

    Hallo Thomas,

    See #2 in Rulz and also the images at the bottom of the list.  MBP's thinking of that.  Since you're using the Proxy, IPS is applied before the inbound packet has the IP of your client on it.  Try also adding your client to the Transparent Mode Skiplist.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    ok, not sure I see the relationship with using the proxy.

    From #2 I see that IPS is executed early in the traffic flow, so why is that dependent on the proxy?

     

    And deriving from that, it sounds like I would need to move the traffic of the proxy (by a proxy exception I assume), but as I see manual firewall rules are also executed after IPS, so not sure what that will help.

    And basically that makes me wonder how to correctly use the exception tab of IPS in conjunction with Proxy or manual FW rules ...

     

    Sorry, not to deep into firewalls so trying to wrap my head around

     

    Thanks,

    regards,

    Thomas

     

    Edit - rereading MBP's answer

    Note – If you use a Sophos UTM proxy, an intrusion prevention exception has to reflect this: A proxy replaces the original source address of a packet with its own address. Thus, to except intrusion prevention for proxied packets, you need to add the appropriate interface address definition of Sophos UTM to the source Networksbox.

     

    Does that mean I'd need to add my (internal) GW IP to the exclusion list for this to work? That would exclude all proxied traffic from IPS then I assume?

  • 0 in reply to ThomasRottig

    I see manual firewall rules are also executed after IPS, so not sure what that will help.

    Both the diagrams and #2.4 make it clear that IPS is done at different times.  If the Proxy has sent the request, the response comes back to the public IP of the UTM, so your Exception doesn't apply.  If the packet is immediately sent back to the client by the connection tracker, it has the client's private IP on it when considered for the Intrusion Prevention Exception.  If you want to use the Proxy, then the Exception must be for traffic coming from the IP of the speed test website.

    You also can run a speed test at the command line:

    cd /home
    wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py --no-check-certificate
    cc set ips status 0
    sleep 15s
    python speedtest.py
    cc set ips status 1
    sleep 30s
    python speedtest.py

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    ok, slowly I begin to understand ;)

    So for personal documentation

    IPS protects the box (or rather protected internal networks) from traffic from 'other' networks like public ones

    To and from are from an outside point of view - From is a source in a public network and 'to' has to be a public IP (like a public reachable webserver in the local network)

     

    So I can

    1. run the test on the box itself ... potentially via certificate based login and ssh exec. Possible, not really an elegant solution

    2. Try to identify the top5 speedtest servers in my vicinity and add them to the exclusion rule (from:). Probably a Group of DNS Hosts/Groups will do the trick

    3. Add the public IP to the exclusion rule (from:) basically allowing all (-> so i could turn it off).

     

    Any other option?

     

    Thanks a mil,

    regards,

    Thomas

Unfiltered HTML