This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SOLVED] IPS blocks all network traffic

Appartently there was a problem with Snort package update. Since yesterday around 18:00 I had connectivity problems from local networks behind 2 different UTMs. The logs show the following:

up2date.log

2021:11:23-18:05:13 FW01 auisys[21582]: Install u2d packages <ipsbundle2>
2021:11:23-18:05:13 FW01 auisys[21582]: Starting installing up2date packages for type 'ipsbundle2'
2021:11:23-18:05:13 FW01 auisys[21582]: Installing up2date package: /var/up2date/ipsbundle2/u2d-ipsbundle2-9.520.tgz.gpg

Shortly after that, all hosts in the local networks behind the two UTMs could not access the Internet anymore. In both cases this error was logged every 30 seconds or so, causing the IPS log to grow into sizes of 150MB and more:

ips.log

2021:11:23-18:05:32 FW01 snort[21749]: FATAL ERROR: The dynamic detection library "/usr/lib/snort/so_rules//server-apache.so" version 1.0 compiled with dynamic engine library version 3.0 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 3.1. 

Same log entries on a different firewall at 18:02.

Currently I disabled IPS on both affected systems as a workaround. However I do not know, if the IPS package will be updated automatically to a working version, when the feature is disabled.

Did anyone else encountered this problem?



This thread was automatically locked due to age.
Parents
  • Hi.

    Could you tell us which version you are running.

    One customer had been still running 9.702 and got the same problem. After investigating it looks like the older firmware is not compatible with the IPS pattern update and broke it.

    The only way to fix this was to disable IPS to an upgrade and reenable this.


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • Hi,

    both UTMs are running on version 9.707-5 - the current one. I haven't tried the official workaround posted above yet.

  • Hi.

    I just wanted to share what we have seen yesterday.

    Thanks for the info. Unfortunatly I cannot read that article provided by .


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • Wow, the article is actually gone now... The workarounds were to either disable an re-enable IPS or manually remove an (older?) IPS component via SSH.

  • Hello,

    I just check, and the article is still available, please double-check one more time. 

    In any case here is the output of the KB, but the issue has been resolved already. Not sure if there might have been an issue when the KB was updated that made it unavailable temporarily. 

    Symptom

    Sophos UTM shows the following errors in ips.log:

    2021:11:23-17:43:37 asgolen snort[18896]: FATAL ERROR: The dynamic detection library "/usr/lib/snort/so_rules//server-apache.so" version 1.0 compiled with dynamic engine library version 3.0 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 3.1.
     

    Resolution

    Sophos' Development Team has released a pattern to fix this issue.

    Workaround
     

    • Turn on and turn off the IPS service in Sophos UTM.
    • Remove the below library file from Sophos UTM shell by running the following command:

      rm /var/chroot-snort/usr/lib/snort/so_rules/server-apache.so

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello,

    I just check, and the article is still available, please double-check one more time. 

    In any case here is the output of the KB, but the issue has been resolved already. Not sure if there might have been an issue when the KB was updated that made it unavailable temporarily. 

    Symptom

    Sophos UTM shows the following errors in ips.log:

    2021:11:23-17:43:37 asgolen snort[18896]: FATAL ERROR: The dynamic detection library "/usr/lib/snort/so_rules//server-apache.so" version 1.0 compiled with dynamic engine library version 3.0 isn't compatible with the current dynamic engine library "/usr/lib/snort_dynamicengine/libsf_engine.so" version 3.1.
     

    Resolution

    Sophos' Development Team has released a pattern to fix this issue.

    Workaround
     

    • Turn on and turn off the IPS service in Sophos UTM.
    • Remove the below library file from Sophos UTM shell by running the following command:

      rm /var/chroot-snort/usr/lib/snort/so_rules/server-apache.so

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children