Reset outside window - false alarm?

I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3

  • In reply to FloSupport:

    I am getting a million a day on every customer at 17.5.3 MR3 and the command in 133096 not present in console.

     

    Regards

  • In reply to Eren Ertas:

    Hi  

    Apologies for this inconvenience.

    Note that you can still input the command without having to tab auto-complete it: "set ips tcp_option detect_anomalies disable"

    Please PM me if you continue to experience issues regarding these alerts.

  • In reply to FloSupport:

    Let me check and watch a while

     

    Regards

  • Hello 

    I'm working around the same problems 

    2019-03-01 15:36:17
    Signatures
    Drop
     
    192.168.0.91
    172.16.0.7
    45069
    SERVER-SAMBA Samba write andx command memory leak attempt
    server-samba
    Windows
    Server
    8
    07002
    IPS
    2019-03-01 15:34:05
    Signatures
    Drop
     
    192.168.0.91
    172.16.0.7
    45069
    SERVER-SAMBA Samba write andx command memory leak attempt
    server-samba
    Windows
    Server
    8
    07002
    IPS
    2019-03-01 15:29:29
    Signatures
    Drop
     
    192.168.131.253
    172.16.0.7
    45069
    SERVER-SAMBA Samba write andx command memory leak attempt
    server-samba
    Windows
    Server
    8
    07002
    IPS
    2019-03-01 15:24:16
    Signatures
    Drop
     
    192.168.131.253
    172.16.0.7
    45069
    SERVER-SAMBA Samba write andx command memory leak attempt
    server-samba
    Windows

    No IPS on this firewall Rule ( 8 ) 


    console> show ips_conf
    config stream 1
    config maxsesbytes 0
    config stdsig 1
    config qnum 10
    config maxpkts 8
    config disable_tcpopt_experimental_drops 0
    config mmap 0
    config enable_appsignatures 1
    config mmapfilepath 1
    config failclose off
    config memmode 1
    var SEARCH_METHOD hyperscan
    var SIP_STATUS enabled
    var IGNORE_CALL_CHANNEL enabled
    var TCP_POLICY windows
    var LOCAL_RULE local.rules
    config cpulist 0:1
    var TCP_BLOCK nblock
    var DETECT_ANOMALIES no

     

    Errors when Sharing files 

     

    With IPS Service Stoped , the fole share works fine 

     

    Firmware Version (SFOS 17.5.1 MR-1)

     

  • In reply to Eren Ertas:

    It seems it's not resolved

  • In reply to Eren Ertas:

    Hey  

    Would it be possible to please enable the support access tunnel on your appliance and PM me with the ID? I'd like to take a closer look at your reports.

    Thanks!

  • In reply to rdebraga:

    Hi  

    Your issue looks to be a different one, as the IPS signature being triggered is listed:

    I would also request for you to enable the support access tunnel on your appliance and PM me with the ID for a closer look.

    Thanks!

  • In reply to Eren Ertas:

    Any update?

    I have same issue on V17.5.3 MR-3.

  • New user here an i am seeing the same issue with speedtest.net when i test with the ips off my speedtest is 900 mb/s when i turn the ips on it drop to 240 mb/s.  also i did do the disable command running latest version. 

  • In reply to ShunzeLee:

    Hey  

    Have you tried to troubleshoot by disabling this setting?

    • Console> set ips tcp_option detect_anomalies disable

    Full context here.

  • In reply to FloSupport:

    Thanks, it works after input the command.

    Sophos didn't fix the bug on V17.5.3 MR-3...

  • In reply to FloSupport:

    I'm getting thousands upon thousands of these errors in my Sophos XG135 rev.3, it's showing nearly 50k just yesterday for an office of 7 people. I'm running 17.5.3 MR3. I can run the command on my console to disable the anomaly detection. But by doing so, am I disabling the ability to detect or use any IPS functionality?

  • In reply to Brad Hall:

    Hey  

    Copy and paste from here:

    This specific IPS signature has been disabled by default, starting with SFOS v17.1.4 MR-4 due to customers experiencing excessive false-positives.

    These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.

    Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.

    Regards,

  • In reply to FloSupport:

    Sorry for the late response.

    Did the Console Command: set ips tcp_option detect_anomalies disable

    Response: Already Configured

    Since I was in the device. Updated firmware, Current Firmware: (SFOS 17.5.3 MR-3) 

    I will monitor the errors and report back (sooner this time).

     

  • In reply to FloSupport:

     I ran the command listed. Viewed my Firewall this morning and I now have 0 "attacks/errors" showing. It appears this took care of the issue over the weekend. I'll monitor and report back if I see any further items regarding this issue.