Test if IPS is working

Does this generate an alert in your sophos for a LAN-WAN Preset IPS policy?

http://www.testmyids.com/

There is any other way to test if it's working? in my case is not generating any alert and it should.

 

I have everything properly configure, is not the first time I deal with an IPS (suricata/snort) or Sophos XG

  • I am not familiar with this page. How does it actually test your IPS? 

  • Hi,

    those sort of alerts appear to have been broken since MR-4. 

    Ian

  • In reply to LuCar Toni:

    It's like an EICAR test for an AV but for an IPS/IDS

  • In reply to rfcat_vk:

    I wonder how many things are still broken and need to be fixed.

    The firewall side of XG is quite limited in features and options available to configure vs the competition and the security aspect is a mess, it looks like a poor implementation of the snort engine.

    I already move to pihole as DNS forwarder since the one in Sophos is so limited and probably I will end up doing something similar with the IDS/IPS and will move to SELKS (Suricata+ELK) https://www.stamus-networks.com/open-source/ or a plain suricata with evebox

    NGFW lol, maybe in v19

  • In reply to l0rdraiden:

    Hello l0rd,

    Could you list out what you mean by the XG being "limited in features and options available to configure" and how the "security aspect is a mess, it looks like a poor implementation of the snort engine".

    It helps to have structured information regarding these kind of things because if it is something that needs to be actioned it needs to be looked into as soon as possible.

    Emile

  • In reply to EmileBelcourt:

    Have you ever use a Fortigate or a Palo alto? even the firewall part of pfsense is stronger, where start...

    For example this simple rule cant be configured. All the traffic from any IP in the LAN where destination port is 53 fordward it to this internal IP.

    For example doesnt' support any DNSSEC DoT or DoH

    Notification (not the ultra basic thing we have now)

    I can't load black lists of DNSBL or IP's

    Sophos Ideas forum is plenty of basic things not implemented

    ...

  • In reply to l0rdraiden:

    Hello Raiden,

    I see some of your points and i have used a Palo Alto/Fortigate, well mainly to displace them.

    If you're willing to delve further into why you think the XG is a security risk/lacklustre security appliance it would help Sophos with what they're doing.

    Emile

  • In reply to EmileBelcourt:

    I have already posted most of my request in Sophos years ago ideas but as an infosec engineer perspective I miss here

    • The ability to add other threat intelligence sources to be processed (IP, Domains) to be blocked by Sophos. Look at Minemeld of Palo Alto.
    • The ability to configure advanced options of Snort and more flexibility to add custom rules or other rules sources.
    • The ability to work as a DNS resolver and access to the configuration options from the interface
    • Support for DNSSEC, DoH, DoT.
    • Update OpenVPN package!!!! it has vulnerabilities now
    • Allow to configure OpenVPN advanced options
    • The ability to create fw rules automatically based on security events

    Sophos without this won't have a position to hold in any costumer with a CISO and a security team behind.

    I have seen the roadmap and look promising but none of this features will be available.