Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 1629 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to systematically analyze an IPS message?

megrv

Assume, that I got the following email:

This almost says nothing. The hostname above is the host name of the XG, not the source or the destination of the attack.

Information, that I really must have:
- Source IP of attacker
- Destination IP
- Some kind of signature ID
- The IPS policy, in which the matched signature is contained
- The firewall rule ID
maybe even more

Where can I find that information?

Also, as a result, the "attacker" will become blocked. (I guess). For how long? Where is a list of all blocked attackers? How can i manually unblock an IP? In the above case, this was not necessary, but I also had legitimate actions triggering the IPS.

Why is there no information in the log files? The Log Viewer shows nothing (yes, I have both checkboxes enabled in System Services -> Log Settings -> IPS) and also /log/ips.log does not contain anything:

fgrep -i "BROWSER-IE Microsoft Internet Explorer" /log/*

This yields nothing! Also, specifically searching /log/ips.log yields nothing. There are no entries in /log/ips.log at the time stamp mentioned in the email. How is that possible? Searching for 7002 only shows entries where the timestamp contains 7002. Also this ID is completely useless, because any IPS message has this ID.

YES, I know, there is the report section in the web GUI. But it only shows AGGREGATED information. I do not want this. "Reports" shows a list of attacker IPs, a list of destination IPs and a list of attacks, but NOT which of those belong together. I want detailed information about every single event. Where can I find that?

And as a side note: "Log Settings" and "Notification List" should not be two separate settings. And they definitely should not be different lists. It should be possible to configure for any event where it shall go: Email, SNMP and/or Log.



This thread was automatically locked due to age.
  • 0

    IPS and IDS are somehow the same system. It simply points to you your next steps. 

    As a IPS can only prevent this movement, it will only prevent this particular access (this connection). Other connections are still allowed. IDS will alert you, there was a matching pattern. 

    The next steps are to investigate this device in more depth. What is actually causing this traffic, which application(s) are running on this client, which user was running this app etc. 

    There are tools to do this (See Central Intercept with EDR). 

    And IPS/IDS Solution likely is not able to tell you, this is a False Positive or a actually attack. It only indicates you a potential threats and prevents this movement. But it does not stop the attack to perform other things.

    For example if somebody is already on the system, he can perform other techniques to attack other clients in the network etc. 

    Intercept X with Sophos firewall would trigger a hb status change and automatically isolate the client after a detection to give you a chance to perform investigation. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    In XG, IDS and IPS are the same according to https://community.sophos.com/sophos-xg-firewall/f/discussions/104093/sophos-xg-or-sg-have-ids-intrusion-detection-system-or-ips-only

    You say, the next steps are to investigate this device in more depth. This is exactly what I want to do. And for that, I need the information I mentioned above. Intercept/EDR may be a good tool, but basic information like IP addresses and rule IDs should be provided by the XG.

    The IPS does not have to tell me whether it is a false positive or not. If it would know, it could dismiss the whole notification in the first place. I will do that for myself. But I need more information and it is really frustrating that this is not available. Because this information is known at the time when the IPS is triggered. It should just be saved somewhere I can find it.

  • 0 in reply to LuCar Toni

    Ok i found it out myself: The log viewer has different views. It's the combo box on the top right with the light-gray-on-white text, that must be set to IPS.

    I will never get why UX designers think that light gray on white is good UI design.

Unfiltered HTML