Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 6 subscribers
  • Views 1983 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limiting Email Notifications for Portscan Alerts seems to have no effect

nd

Hello community,

 

I am running a Sophos UTM Home Setup on 2 SG330 active/passive cluster for private usage at home.

Works mostly all fine and I wont mess sophos anymore.

 

I am also using email notifications in a wide range for reports, alterts, etc.

But the option for limiting notifications seems not to work properly. In any case of a portscan alert I receive about 10-50 or more emails for the same source public ip / alert case.

So I thought the solution would be to set the "limit notifications" button, but there is no effect.

Anybody else have the same situation? Where is the sense there to receive multiple (hundreds) of emails with the same content?

 

Is there another option to limit a portscan alert with arguments like "if alert-type X and source IP Y between time slot 10min dont send another mail"???

 

Thanks anyway all :)

Regards, Andy.



This thread was automatically locked due to age.
  • 0

    Hi Andy,

    Check out the approach I developed for a client: https://community.sophos.com/products/unified-threat-management/f/recommended-reads/121929/reject-port-scans-instead-of-dropping-them-within-intrusion-prevention

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Anyone can go with my approach to disable the Email checkbox for Portscan detected (WARN-856) and let the UTM do it’s job? Because if you get an Email the system detected the portscan already.
    Of course Bobs solution is fine, but involves admin power constantly.

    BR

    -

  • 0 in reply to Alexander Busch

    Interesting.  Someone flagged that post as abusive.

    In fact, Alex, that's what I do in our UTM.  I ran the following command and found over 3300 scans from one IP in the first 13:50 of the day:

    grep scan /var/log/ips.log|grep -oP 'srcip=".*?"'|sort -n|uniq -c

    I then created a Portscan Exception for that IP and made a firewall Reject rule for it.  In a little over an hour, almost 2700 packets from it have been rejected.  I also emailed a complaint to the ISP in NL.  That and the rejected packets will likely get their customer to quickly clean their infected server instance of malware.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    and thanks for your answer.

    But I think this is not the solution - it seems more like an arrangement and workaround for the generally problem with "limiting notifications". ;)

     

    Limit notifications: Some security-relevant events such as detected intrusion attempts will create a lot of notifications, which may quickly clog the notification recipients' email inboxes. For this reason, Sophos UTM has sensible default values to limit the number of notifications sent per hour. If you disable this option, every security-relevant event will create a notification, provided the event is configured so as to send a notification on the Management > Notifications > Notifications tab.

     

    According to that description and common sense it should be able to prevent mail notification flooding.

    I don´t need to receive 20 (or more) identically mails about the same alert and source ip. But nethertheless it is very informal to know about such an event.

     

    So actually it seems like a bug or "not perfect programming" that event / alert type.

    If nobody has a solution for that would it be suggestly to plant that behavior anywhere to fix / improve that? if yes, where? :)

     

    Thanks,

    Andy.

  • 0 in reply to nd

    My guess is that the portscan attacks last long enough that they're seen as additional attacks - that if notifications weren't limited, you'd see more messages.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    One example for today: 6 mails between 1 second according to the time stamp. The rest has been deleted allready.

    I will tell you more tomorrow / next alert. The ammount of alerts and scans vary from day to day.

  • 0 in reply to BAlfson

    Just few minutes ago 18 Mails of the same alert between two seconds.

Unfiltered HTML