IPS Exception not working

Hi,

I have problems with IPS in UTM, the UTM handles IPSEC traffic with VEEAM backup and Replication, and triggers this:

2019:09:10-02:55:51 mail-2 snort[13000]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-OTHER Ransomware SamSam variant detected" group="500" srcip="192.168.11.20" dstip="192.168.10.31" proto="6" srcport="902" dstport="53906" sid="48814" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2019:09:10-02:58:23 mail-2 snort[13000]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-OTHER Ransomware SamSam variant detected" group="500" srcip="192.168.11.20" dstip="192.168.10.31" proto="6" srcport="902" dstport="53946" sid="48814" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
 
192.168.11.20 is a VMWARE ESXi server
192.168.10.31 is a Veeam Server (Windows)
 
I have added this exception in the affected UTM:
 
But nothing helps :-(
 
  • What happens if you create a second exception list for the other subnet (to destination)?

  • In reply to ThorstenSult:

    ThorstenSult

    What happens if you create a second exception list for the other subnet (to destination)?

     

     
    Already tried that, still no cheddar :-O
     
    Thanks for writing ;)
  • Hi Martin,

     

    If this is a specific rule that is always triggered (48814 given this log), you could try to modify this rule to either disable it or change it to alert in the advanced tab. 

     

    Regards,

     

    Karl-Heinz

  • In reply to Karl-Heinz van Hardeveld:

    Hi Karl-heinz,

     

    Thanks for pointing out ;-)

    Only thing is, that if another host/server behind the UTM, get's the SAMSAM attack, then it would just ignore it, therefore I hoped for the host exception to work, but there is a problem with UTM in that matter I see.

    Tried to change from IPSEC to RED Site-2-site, just for fun, but of course, the issue remains :-)

  • Hi  

    I assume the network definition is not bound to any interface. With that in mind, would you please try changing the condition from AND to OR and see if that helps? (I know it sounds funny).

  • In reply to Jaydeep:

    Hi  

    Just tried, but still an issue, this one helps, but will drop the ID's permanently for all networks...

     

     

    Not working:

  • In reply to twister5800:

    Hello Martin,

     

    Just a silly thought... does VEEAM backup keep connections open all the time or does it start new connections everytime? IPS exceptions are applied to new connections, not existing ones.

    If not sure, I think you can force it by disabling one of the interfaces, then re-enable.

     

    Regards,

     

    Karl-Heinz