This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion protection alert SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1679 attack attempt

Hello,

our Sophos UTM 9 ( latest firmware 9.713-19 ) started to block backups of certain systems that always worked before.

2023:01:16-21:05:07 fwname snort[18187]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1679 attack attempt" group="500" srcip="SERVER1" dstip="FILESERVER" proto="6" srcport="59857" dstport="445" sid="60967" class="Attempted Denial of Service" priority="2" generator="1" msgid="0"

This is the only thing I can see in the logs. These backups have always worked before but now the Firewall keeps blocking them.

There is no information as to what is being blocked and I have found nothing about TRUFFLEHUNTER on the internet. I have also not found this rule id on the snort website.

Does anybody have any idea what is causing this ? Could this is a false positive ? The destination is always a fileserver, could it be a file on the fileserver ? Is there a way to find out more details as to what exactly is being blocked ? 



This thread was automatically locked due to age.
Parents
  • I can confirm this affects Windows backups. vssFull backups appear to succeed but vssCopy and systemstate backups fail and an IP event is logged on the UTM.

    Rather than modify the rule, I added an exemption skipping Intrusion Protection coming from affected backup clients. I'm unsure which is the better choice, tbh, but my backups are working again...

  • Interesting, but I would rather not disable Intrusion Protection for any of our Servers.

    Sadly there seems to be no way of adding an exception for one specific rule.

Reply Children
  • My understanding is that it would be outbound detection from your servers (presuming they are the backup client). Your servers would still be protected by Intrusion Protection from intrusion attempts from the WAN or other networks.

    In this scenario the backup server would have no Intrusion Protection from attacks originating from exempted backup clients only.

    The only other alternative I could see was to modify the specific rule (60967) in the Advanced tab, but this would be to change the action to Alert or to disable it entirely (under Manual Rule Modification).

    I don't expect my servers (which are in a protected network with restricted network and systems access) to become bots, so it was the lesser of two evils imho. The more important issue for me was to get backups working.