Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 6 subscribers
  • Views 1986 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limiting Email Notifications for Portscan Alerts seems to have no effect

nd

Hello community,

 

I am running a Sophos UTM Home Setup on 2 SG330 active/passive cluster for private usage at home.

Works mostly all fine and I wont mess sophos anymore.

 

I am also using email notifications in a wide range for reports, alterts, etc.

But the option for limiting notifications seems not to work properly. In any case of a portscan alert I receive about 10-50 or more emails for the same source public ip / alert case.

So I thought the solution would be to set the "limit notifications" button, but there is no effect.

Anybody else have the same situation? Where is the sense there to receive multiple (hundreds) of emails with the same content?

 

Is there another option to limit a portscan alert with arguments like "if alert-type X and source IP Y between time slot 10min dont send another mail"???

 

Thanks anyway all :)

Regards, Andy.



This thread was automatically locked due to age.
Parents
  • 0

    Anyone can go with my approach to disable the Email checkbox for Portscan detected (WARN-856) and let the UTM do it’s job? Because if you get an Email the system detected the portscan already.
    Of course Bobs solution is fine, but involves admin power constantly.

    BR

    -

Reply
  • 0

    Anyone can go with my approach to disable the Email checkbox for Portscan detected (WARN-856) and let the UTM do it’s job? Because if you get an Email the system detected the portscan already.
    Of course Bobs solution is fine, but involves admin power constantly.

    BR

    -

Children
  • 0 in reply to Alexander Busch

    Interesting.  Someone flagged that post as abusive.

    In fact, Alex, that's what I do in our UTM.  I ran the following command and found over 3300 scans from one IP in the first 13:50 of the day:

    grep scan /var/log/ips.log|grep -oP 'srcip=".*?"'|sort -n|uniq -c

    I then created a Portscan Exception for that IP and made a firewall Reject rule for it.  In a little over an hour, almost 2700 packets from it have been rejected.  I also emailed a complaint to the ISP in NL.  That and the rejected packets will likely get their customer to quickly clean their infected server instance of malware.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML