Reset outside window - false alarm?

I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3

  • I have two XG applainces, one 310 and 105w. On the XG310 17.5.0 GA and on XG105w 17.5.3 MR-3. On both devices I have "Data sent on stream after TCP Reset received"
    Then on 105w I have done "set ips tcp_option detect_anomalies disable" and there is no more that kind of network intrusions in the last two hours. I will be watching and when it is ok I will try to implement this on bigger XG.

  • In reply to FloSupport:

    I am getting these as well, I did follow the KB, what confusing me is I am on XG105w 17.5.3 MR-3.  So I would think Sophos would have fixed this by now without me having to use the KB.  Since they still have the KB in place and are not sending the fix out with the latest release I am assuming that this is not completely fixed and the KB is a workaround until Sophos can figure out why there are so many false postives?  

     

    What I am looking for here is why was it enabled in the first place and what threats am I exposing the network too if I disable it?

  • In reply to Badrobot:

    Hey  

    The fix to this issue was the setting being disabled by default starting with SFOS v17.1.4 MR-4, so I apologize as it seems this did not occur for you.

    As I mentioned previously:

    • This specific IPS signature has been disabled by default, starting with SFOS v17.1.4 MR-4 due to customers experiencing excessive false-positives.

      These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.

      Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.

    Please continue to monitor and let me know if you run into any further issues.

    Regards,

  • In reply to FloSupport:

    It is not true that TCP anomalies is disabled starting with SFOS v17.1.4 MR-4, at least on my Sophos Home machine.

    I fresh installed it using 17.5.6 MR-5 ISO without loading any previous backup. It is automatically updated to MR6 when I active the license.

    Login to console and found that "var DETECT_ANOMALIES" is set to "yes"

    console> show ips_conf
    config stream 1
    config maxsesbytes 0
    config stdsig 1
    config qnum 10
    config maxpkts 8
    config disable_tcpopt_experimental_drops 0
    config enable_appsignatures 1
    var SEARCH_METHOD ac-q
    var SIP_STATUS enabled
    var IGNORE_CALL_CHANNEL enabled
    var TCP_POLICY windows
    var LOCAL_RULE local.rules
    var DETECT_ANOMALIES yes
    var TCP_BLOCK block
    config failclose off
    config cpulist 0:1

    Run suggested command to disable anomalies detection:

    console> set ips tcp_option detect_anomalies disable

     

    Check the ips_conf again var DETECT_ANOMALIES" is set to "no"


    console> show ips_conf
    config stream 1
    config maxsesbytes 0
    config stdsig 1
    config qnum 10
    config maxpkts 8
    config disable_tcpopt_experimental_drops 0
    config enable_appsignatures 1
    var SEARCH_METHOD ac-q
    var SIP_STATUS enabled
    var IGNORE_CALL_CHANNEL enabled
    var TCP_POLICY windows
    var LOCAL_RULE local.rules
    var TCP_BLOCK nblock
    config failclose off
    config cpulist 0:1
    var DETECT_ANOMALIES no

  • In reply to FloSupport:

    The bug still didn't fix in V17.5.6 MR-6.
    User need to fix it with the console command...

  • Hello Everyone,

    We have an update. TCP anomalies detection will be disabled by default starting from v17.5 MR-8. Please check the updated article: Sophos XG Firewall: ​IPS causing drops to legitimate traffic and filling the IPS log

  • In reply to Jaydeep:

    Poor efficiency...

  • In reply to Jaydeep:

    Hi,

     

    does disabling TCP anomalies detection also lower the detection rate of the IPS system?

  • In reply to Dwayne Parker:

    Hi Guys,

    Yesterday I installed XG310 (SFOS 17.5.3 MR-3) at client site.

    It is in bridge mode after MKtik router doing NAT+Routing+VPN+basic FW.

    Still there are a TON of false IPS positives. TCP related, IMAP related, Print spooler related(just some broadcasts), DNS related(replies from 8.8.8.8).

    So this is redicilous. 

    Disabling is just temp solution? Even in upgrade does it stop/lower efficiency of IPS?

     

    Have a nice day! Greetings!

  • In reply to Dwayne Parker:

    Hi,

     

    does anybody know if this is lowering the detectionrate of the IPS?

  • In reply to Dwayne Parker:

    I just want to ask again, if somebody knows if disabling "Anomaly Detection" lowers the detection/protection rate of the IPS system.

    Is this issue solved in v18 EAP, so that Anomaly Detection is working again?

  • In reply to Kaloian Kirchev:

    Hi  

    This issue is resolved in SFOS v17.5.8 MR-8. By default the setting will be enabled, as it was causing too many false positive detections.

  • In reply to FloSupport:

    Hi  

    Thanks for the reply. BUT could you please answer the questions above.

    Is disabling IPS anomalies LOWERs the protection and effectiveness?

     

    Thanks!

    Have a nice day!

  • In reply to Kaloian Kirchev:

    Hi  

    Yes, disabling any IPS setting/signature affects protection somewhat.

    This particular IPS setting detects and drops "anomalous" TCP traffic (missing TCP timestamps, etc.) This setting was causing excessive false-positives & issues for some customers, therefore the option to disable it was provided.

    Copy and paste of the information I provided previously:

    • These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.
    • Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.

    Regards,