This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Exception not working

Hi,

I have problems with IPS in UTM, the UTM handles IPSEC traffic with VEEAM backup and Replication, and triggers this:

2019:09:10-02:55:51 mail-2 snort[13000]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-OTHER Ransomware SamSam variant detected" group="500" srcip="192.168.11.20" dstip="192.168.10.31" proto="6" srcport="902" dstport="53906" sid="48814" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2019:09:10-02:58:23 mail-2 snort[13000]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-OTHER Ransomware SamSam variant detected" group="500" srcip="192.168.11.20" dstip="192.168.10.31" proto="6" srcport="902" dstport="53946" sid="48814" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
 
192.168.11.20 is a VMWARE ESXi server
192.168.10.31 is a Veeam Server (Windows)
 
I have added this exception in the affected UTM:
 
But nothing helps :-(
 


This thread was automatically locked due to age.
Parents Reply Children
  • Hi Karl-heinz,

     

    Thanks for pointing out ;-)

    Only thing is, that if another host/server behind the UTM, get's the SAMSAM attack, then it would just ignore it, therefore I hoped for the host exception to work, but there is a problem with UTM in that matter I see.

    Tried to change from IPSEC to RED Site-2-site, just for fun, but of course, the issue remains :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Architect