IPS triggering on UTM VM backup

Hi folks,

A quick one, I'm trying to backup an UTM VM over IPsec. It works fine although I've had to modify two IPS signatures; 48812 & 48814 (which i've set to alert only).

Based on the IPS notification, I would appreciate if anyone could give me a hint at how to make a correct exclusion for that backup traffic, effectively excluding it from all IPS scanning. I suspect the local snort DB itself transiting on the wire and false positively triggering IPS.

I've tried to make a service entry with source port 902 / dst port 1:65535 and excluding IPS on that service although this fails.

Thanks for any inputs.

=====================================================

Message........: MALWARE-OTHER Ransomware SamSam variant detected
Details........: www.snort.org/search
Time...........: 2020-05-23 06:08:31
Packet dropped.: no
Priority.......: high
Classification.: A Network Trojan was Detected
IP protocol....: 6 (TCP)
 
Source IP address: 1.2.3.4 (fatburgers.wh.gov)
Source port: 902 (ideafarm-chat)
Destination IP address: 4.3.2.1
Destination port: 26135

=====================================================

  • Hi Mokaz,

    Please show us a representative line from the Intrusion Prevention log.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

    Cheers - Bob

  • Out of curiosity, what backup technology (Or product) is used for that? And in addition to the request from Bob, maybe show a screenshot of your IPS exclusion.

    Best regards 

    Alex