This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos firewall application classification errors

Hi folks,

sometime in the last 6 weeks I started a thread on classification errors. I have been doing some further investigation and found thane was wrong and needed to be corrected. I have searched all my activities and not been able to find the initial post to correct the error.

Where has the post gone?

Classification errors

Streaming video is classified as infrastructure

NTP is classified as thunderVPN

A http access to an Apple site is classified as manual proxy surfing on IPv6

Some iMAPs traffic is unclassified.

Ian



This thread was automatically locked due to age.
Parents Reply
  • Hi Emmanuel,

    that is not PCAP but tcpdump, how does that relate to using the PCAP in logviewer? PCAP in logviewer reports that it is capturing data, but never displays the data.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Hello rfcat,

    So the command is the below, basically, it is a tcpdump save as pcap capture which then Labs uses the stream of data to analyze it.

    # tcpdump -ni any host  x.x.x.x and host x.x.x.x -b -w /tmp/application.pcap -s0

    The x.x.x.x would be the IP of the computer doing the request and the Public IP of the Destination.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thank you, I understand that, but that wan't the answer to the question about PCAP in logviewer.

    I will try the tcpdump commands again and send you the files.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Emmanuel,

    I sent you two files in a PM.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I will have to re-do the ntp and let run for a longer time, file is basically empty.

    Ian

    Logviewer does not report any Infrastructure results yet the GUI does and expands to show the traffic. Makes investigation very difficult.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    the following screen shots are from my XG, today's report from yesterday and from the gui.

    If you study those reports you will notice there is not great consistency about infrastructure and streaming media analysis.

    Some of the issue might be caused by not installing a CA in the streaming media device, not possible so the packed inspection is superficial and streaming media is an exception to scanning.. Though the same issue is observed on devices with a CA installed.

    There is also a screenshot where the GUI does not provide any data.

    I hope the above helps with resolving the steaming media and infrastructure classification issues?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.