Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom IPS Signatures

Brad Fuller

Hi!

The IPS on one of our Sophos XG's is blocking Splashtop from connecting properly, and its being blocked as 

Here is what I have done so far, but no luck.

FQDN Host

sn.splashtop.com - resolves 54.204.11.246, 50.19.125.112
splashtop.com - resolves 23.23.164.150, 50.17.197.204

FQDN Host Group
IPS_Ignore - added sn.splashtop.com and splashtop.com

Custom IPS Signature

Name: Splashtop
Protocol: TCP
Rule: srcaddr:54.204.11.246;srcaddr:50.19.125.112;srcaddr:23.23.164.150;srcaddr:50.17.197.204;
Severity: Warning
Action: Bypass

Custom IPS Policy

IPS_Ignore
Rule Name: Allowed_Traffic
Added Custom Signature : Splashtop
Action: Bypass Session

Created Firewall Rule: IPS:Allow
Position: Top
Source: WAN > FQDN HG IPS_Ignore
Destination: LAN > Any > TCP
Intrusion Prevention: IPS_Ignore

Hit save and nothing happens, the IPS log is still filling up with Dropped packets. 



This thread was automatically locked due to age.
  • 0

    Hi Brad,

    Did you disable IPS and verify, if it is actually blocking the application? Alongside, instead of creating a custom IPS signature, you ca simply allow the blocked signature in the IPS policy. If you  have specific requirement and need a custom signature then please PM me the screenshot of the configuration and code to verify it further.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

    • 0 in reply to sachingurung

      Hi!

      Yes, it is stopping the application from loading properly.
      Tried searching for that signature to change the recommended action, but can't search by signature ID and there are 16 signatures called FILE-OTHER BitDefender Internet Security script code execution attempt.

       

      Does the device require a reboot to load the new signature into memory?

      • 0 in reply to Brad Fuller

        Try changing each one one at a time to Accept, and see which one logs the Accept.

         

        Update: I also use Splashtop (Business Access and SOS) and I noticed that while installing the Business Access application, I also got BitDefender IPS alerts in Sophos XG. However it didn't keep me from being able to remote to computers (both into and out of the customer network). Interestingly, after I saw those alerts, I cannot see any more alerts or get them to come up. I've done everything from using Splashtop's remote reboot feature, chat, logging on and off etc. but the errors aren't coming back, only during the installation. Perhaps my Log Viewer is just very delayed.

         

        I would also like to know about if rebooting is necessary after changing an IPS policy ever.

    • +1

      I went a completely different route, pun intended, and erased everything that I did earlier.

      Here is my new configuration and it works fine now.

      FQDN Host

      sn.splashtop.com - resolves - 54.204.11.246, 50.19.125.112
      splashtop.com - resolves - 23.23.164.150, 50.17.197.204

      FQDN Host Group
      Allowed_FQDN - added sn.splashtop.com and splashtop.com

      Created Firewall Rule: Allowed:FQDN
      Position: Top
      Source: LAN > Any
      Destination: WAN > Allowed_FQDN > TCP
      Intrusion Prevention: none

       

      And voila, no more 17000 IPS alerts.

      You can also use this rule to add more sites, just add them to the Allowed_FQDN HG.

      • 0 in reply to Brad Fuller

        I had the exact same pattern of IPS alerts from the same signature with Splashtop.

        A little more detective work (aided by the splashtop trigger), and I found that if I disabled the splashtop update service, these IPS attack log entries went poof!   Splashtop has a service that looks for a software update every minute.  not needed.  Splashtop still works fine without and the IPS log entries are gone :-)

      Unfiltered HTML