Dear All,
There is an action in the IPS policy " Bypass Session" and as per documents " Bypass Session - Allows the entire session if detects any traffic that matches the signature." and recommendation for the same is:
"To save resources and avoid…
Every once in a while I get a hit in Advanced Threat Protection for C2/Zbot-A. Those are single hits, with pretty benign destinations (usually targetting one of the DNS servers used by our infrastructure). The first time it happened I scanned the specific…
So, I inherited the current UTM 9 config and have been working on updating the definitions (some were out of date, some were no longer needed, etc). I found a large group called "Google Server Group" with the following entries:
accounts.google.com apps…
Hello together!
When i want to Download Apps from the Windows 10 Store, only a few MB are downloaded and then the download stops ..
In the IPS Log i always found "MALWARE-OTHER Executable control panel file download request" (SID=33942) this Event…
IPS Sophos XG DOS Protection
What do you have set for your IPS / DOS protection i have tried the standard limits and also increased them and found traffic related issues not sure if found any issues with the XG or found a sweet spot. Obviously different…
I recently noticed some activity flagged as attacks on the XG Dashboard. Clicking on it indicated that the packets were allowed. I looked through the IPS policies to find the applicable rule, which was this one: Apple QuickTime traf Atom Out-Of-Bounds…
I have noticed that my Tivo is being flagged by the IPS with "Apache HTTP Server mod_rpaf x-forwarded-for Denial of Service." There were 27 instances yesterday, with 3 noted IP address targets. Is this a false positive or something that I should be concerned…
Hi!
Although I have selected "None" for Protection and Intrusion Protection in a specific WAF rule, I'm gettings tons of instrusion attacks on that webserver. Unfortunately, they are all false positives because the webserver is a cloud file server …
We recently discovered that our UTM was blocking packets that we needed for VoIP.
RTP packets were being discarded because IPS detected a UDP Flood Attack. The issue was difficult to find because the UTM was only discarding a relativly small number…
Hello there,
please do not blame me for my bad english, i am not a native english speaker but i will try my best.
Through a Blog i found the Sophos XG for Home and i bought an ITX System with dual NICs.
Now i have a few problems.
1. IPS
…
So I have a second opportunity this coming Saturday to install the XG210 after some more work to my rules and help from the members here. Because our existing firewall had SIP disabled and h323 disabled, I performed the same on this device and changed…
Hi Guys,
I am experiencing really low bandwidth with the Sophos XG. I have tried turning of IPS, Web Filter, and Application control just to tshoot. Is there something with the OS version (SFOS 16.05.5 MR-5) that is causing this?
Thanks.
…
Hi guys, I keep getting the following alert and just wondered if it was anything to worry about / look further into:
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule…
Hi there, I've spent a little time testing the IPS offloading or load balancing behaviors while in a High Availability Cluster setup (Active/Active). I've setup two VM's on a ESXi 6.5 physical host. VMs have all the same networks, nics, ram, disks and…
Dear,
We are under attack since two days from two IP's. I try to block two IP's from the attackers but it doesn't seem to work.
I created immediately the rule below with the two culprets, to drop and log all the traffic. The rule is the very first…
Hello,
Just curious, I received a warning from my firewall that it detected the C2/Zbot-A C&C virus from an IP that points to my iphone7 (it is NOT hacked, and is fully patched IOS).
The only thing in my IPS log is:
"2017:09:07-05:48:08 gateway…
Hi all, I really need some straight talk to see if what I want is even possible. We currently have a 10Gb WAN connection to our home, and I'm currently utilizing a Microtik RouterBoard with ACL's for marginal security. I'm not comfortable with that level…
I'm having multiple UTMs reporting a C2/Generic-A from IP address: 45.33.9.234. I have scanned every server/PC that is reporting on and there is never anything there. I believe this is a false positive and I cannot get Sophos to help me out on this one…
My dashboard regularly shows botnet/command and control traffic detected. It is always BYOD hosts that cause it to trip. I understand protocol is to take these devices offline and scan them for viruses, but I would really like to know if there is anything…
Hi,
since I am using XG, I'am getting always IPS alerts, and I am concerned about, because I don't know the reason of these alerts.
Are IPS alerts a alert about accessing websites with vulnerabilities or outdated software, or means an IPS alert…
Hi,
today, i've got many IPS alerts with the source IP of UTM's LAN and WAN ports.
Is this normal?
Regards Meghan
P.S. The address No.1 in Screenshot 1 is the LAN IP of UTM and address No.2 is the WAN IP of UTM
We are having trouble downloading some Adobe Acrobat files from one of our vendors. The files are being flagged by the IPS system under the signature "Adobe Reader PDF Engine CVE-2017-3025 Memory Corruption Vulnerability". It only is affecting about 10…
Dear All,
Please anyone can explain the IPS actions like drop, reset,disable, etc.
and can we block the detected black list ip's for 30 minutes and where can i find the IPS black list ip's.
Hello all,
Do you know if Sophos will protect our network from the APT10 Operation Cloud Hopper Malware threat ? (link points to pdf document about the malware) https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwjZs_udk9vUAhWF0RoKHbxIDqoQFggxMAI&url…
Good morning everybody!
I have many IPS alerts, is that normal?
And not all of the victims IP's are in my network!
I use LAN_TO_WAN standart IPS policy!