Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 16935 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom IPS Signatures

Brad Fuller

Hi!

The IPS on one of our Sophos XG's is blocking Splashtop from connecting properly, and its being blocked as 

Here is what I have done so far, but no luck.

FQDN Host

sn.splashtop.com - resolves 54.204.11.246, 50.19.125.112
splashtop.com - resolves 23.23.164.150, 50.17.197.204

FQDN Host Group
IPS_Ignore - added sn.splashtop.com and splashtop.com

Custom IPS Signature

Name: Splashtop
Protocol: TCP
Rule: srcaddr:54.204.11.246;srcaddr:50.19.125.112;srcaddr:23.23.164.150;srcaddr:50.17.197.204;
Severity: Warning
Action: Bypass

Custom IPS Policy

IPS_Ignore
Rule Name: Allowed_Traffic
Added Custom Signature : Splashtop
Action: Bypass Session

Created Firewall Rule: IPS:Allow
Position: Top
Source: WAN > FQDN HG IPS_Ignore
Destination: LAN > Any > TCP
Intrusion Prevention: IPS_Ignore

Hit save and nothing happens, the IPS log is still filling up with Dropped packets. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Brad,

    Did you disable IPS and verify, if it is actually blocking the application? Alongside, instead of creating a custom IPS signature, you ca simply allow the blocked signature in the IPS policy. If you  have specific requirement and need a custom signature then please PM me the screenshot of the configuration and code to verify it further.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi!

    Yes, it is stopping the application from loading properly.
    Tried searching for that signature to change the recommended action, but can't search by signature ID and there are 16 signatures called FILE-OTHER BitDefender Internet Security script code execution attempt.

     

    Does the device require a reboot to load the new signature into memory?

  • 0 in reply to Brad Fuller

    Try changing each one one at a time to Accept, and see which one logs the Accept.

     

    Update: I also use Splashtop (Business Access and SOS) and I noticed that while installing the Business Access application, I also got BitDefender IPS alerts in Sophos XG. However it didn't keep me from being able to remote to computers (both into and out of the customer network). Interestingly, after I saw those alerts, I cannot see any more alerts or get them to come up. I've done everything from using Splashtop's remote reboot feature, chat, logging on and off etc. but the errors aren't coming back, only during the installation. Perhaps my Log Viewer is just very delayed.

     

    I would also like to know about if rebooting is necessary after changing an IPS policy ever.

Reply
  • 0 in reply to Brad Fuller

    Try changing each one one at a time to Accept, and see which one logs the Accept.

     

    Update: I also use Splashtop (Business Access and SOS) and I noticed that while installing the Business Access application, I also got BitDefender IPS alerts in Sophos XG. However it didn't keep me from being able to remote to computers (both into and out of the customer network). Interestingly, after I saw those alerts, I cannot see any more alerts or get them to come up. I've done everything from using Splashtop's remote reboot feature, chat, logging on and off etc. but the errors aren't coming back, only during the installation. Perhaps my Log Viewer is just very delayed.

     

    I would also like to know about if rebooting is necessary after changing an IPS policy ever.

Children
No Data
Unfiltered HTML