This topic has been covered before a few times but I was hoping to get some help wrapping my head around what I'm seeing.
I tested 5 VPN configurations both with and without IPS turned on. As previously documented IPS kills basic throughput (without…
Hello Community, We have a UTM SG430 and 1GBit/s internet connection. Now I have noticed that IPS a. prevents the line from being fully utilized. b. Long response times (100ms-500ms) and even packet loss occur when the WAN interface is heavily utilized…
Hi everyone,
this is not a technical issue but a desparate call for advise.
Our Sophos UTM-firewall (firmware version: 9.816-2) is suffering from a (D)DOS-attack that is going on for several days now. Since our internet-connection only comprises of…
Found a post from over 10 years ago, so thought I'd ask and get a more up-to-date reply!
I get alerts from the IPS saying it blocked an attack. I add the IP (if it's the same one repeatedly) to Network Protection/Firewall to drop from that IP, Any service…
Hallo Sophos-Forum,
ich habe immer wieder Meldungen meiner Firewall SG230 mit Intrusion Prevention Warnungen.
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule…
Our old Sophos UTM is definitely a bit on the "too small" side by now, but still, we're trying to get things running for at least an extra year or so. Right now we occasionally have issues with the UTM CPU usage going up to 100%, to the point where the…
I need to allow DNS lookups for a particular .tk domain.
I read this old thread but " Add an Exception for wiki.tcl.tk in 'Advanced Protection >> Advanced Threat Protection " doesn't work. The DNS lookup traffic is still blocked.
I'm in the same situation…
Hello,
Following a reboot of our servers, we are no longer able to access several internal and external services (VPN, telephony, User portal)
I am neither a network expert nor an advanced user of Sophos solutions, but I will gladly provide you with…
Hello,
our Sophos UTM 9 ( latest firmware 9.713-19 ) started to block backups of certain systems that always worked before.
2023:01:16-21:05:07 fwname snort[18187]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert…
Is there any recommendations for tweak IPS on a SG125w running UTM 9 (latest version)? We have a 100Mb/sec LOS connection which drops from 100Mbps to 70Mbps with IPS enabled.
Hello all,
May be a silly question, however, in the IPS service:
Do we need to include the RED networks for remote offices as well? Similarly, do they (RED networks) need to be listed in the Firewall rule for Teams and the like:
Finally, besides…
Hi,
yesterday (sunday) at 3 am SNORT stopped to work with the result that internal nets couldn't reach Internet anymore. In the logs I found
FATAL ERROR: Failed to load /usr/lib/snort/so_rules//file-java.so: /usr/lib/snort/so_rules//file-java.so:…
Guten Abend,
wir haben seit einiger Zeit Probleme mit verdächtigen IPS-Meldungen. Leider ist es uns nicht möglich die Ursache der Meldung zurückzuverfolgen.
2022-06-08 15:07:21IPSmessageid="07002" log_type="IDP" log_component="Signatures" log_subtype…
Hallo zusammen,
habe auf 2 unterschiedlichen SG's (9.711) jeweils die selbe IPS Meldung:
SERVER-OTHER Kerberos 5 build_principal_va denial of service attempt
In der Beschreibung der Sid 1-59640 steht nur
"This rule detects a crafted Kerberos…
Just installed Sopos UTM 9.707-5 in esxi vmware.
When starting Intrusion Prevention I see in the console:
/usr/bin/chroot: failed to run command '/sbin/snort' no such file or directory
I have ssh'd in to the utm and checked, snort can't be found…
Hi,
the SOPHOS UTM Firewall of one of our Clients sporadically reports an ATP-Threat (Botnet/command-and-control traffic) that has been blocked. The "infected" Hosts are always the two Domain Controllers / DNS Servers within the network.
User…
Hi all!
We are using SSL VPN and facing severe performance issues all the time. When using RDP, the desktop sometimes freezes and copying files to and from the remote desktop takes very long (about 1MB/s, the connections are capable of 10MB/s (home…
First alert we had from rule SID 20842 was on 23 Nov at 17:39 GMT. Since then have had 230 alerts to around 50 different Windows 10 hosts, all this rule, 29 different IP source addresses, all source port 80, various destination ports.
Looking up the…
Appartently there was a problem with Snort package update. Since yesterday around 18:00 I had connectivity problems from local networks behind 2 different UTMs. The logs show the following:
up2date.log
2021:11:23-18:05:13 FW01 auisys[21582]: Install…
Hi everyone,
we are having issues with the customers skype for business (still on prem) because of IPS.
After a while the voice stops and our users at the office (it is working from home or data plan) cannot voip anymore.
The IPS log shows the IP…
Ok, so how specifically do I ' set the corresponding intrusion protection rule to "drop" in WebAdmin ' per the alert email below I received?
There is no 'rule' identified in the alert. Am I supposed to infer that 58442 in the snort link is the rule…
Hallo,
wir haben bei unserer TK Anlage seit gestern einen Vodafone SIP Trunk. Seit dem werden ausgehende Gespräch exakt nach 60 Sekunden getrennt. Nicht alle, es kommt mir so vor als ob es ca. 30 Minuten läuft, dann gehen die Trennungen wieder los.…
I can see IPS log entries when I manually inspect the IPS log files but the IPS portion of the daily executive report has been blank for months. I used to see IPS entries in almost every daily report.
Also, zero is reported for all IPS statistics on…