https://community.sophos.com/utm-firewall/f/management-networking-logging-and-reporting/89092/intrusion-detection-for-dropped-packetsSophos UTM 9 model SG230 firmware version 9.411-3. In the past we have had a lot of issues on this firewall with DDOS attacks on our DNS servers. Those DNS servers are long gone and I have added a WAN firewall rule to drop any TCP/UDP port 53 trafficen-USTelligent Community 12https://community.sophos.com/thread/324469?ContentTypeID=1Thu, 02 Mar 2017 17:20:57 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:841210ff-659e-47bb-a2b3-4e94941714f5Kipland Iles<p>Thanks again, <a href="/members/balfson">BAlfson</a>. I bookmarked Rulz this time.</p><div style="clear:both;"></div>https://community.sophos.com/thread/324464?ContentTypeID=1Thu, 02 Mar 2017 16:46:31 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:0b9fd225-6684-4ceb-99b3-ba02cb9203a9BAlfson<p>I think you want #2 In <a href="/products/unified-threat-management/f/general-discussion/22065/rulz">Rulz</a>, Kipland.&nbsp; You will see from that that the way to drop the traffic before everything else is a blackhole DNAT.</p> <p>Cheers - Bob</p><div style="clear:both;"></div>https://community.sophos.com/thread/324267?ContentTypeID=1Wed, 01 Mar 2017 11:30:35 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:ecd20bf9-12c1-4504-840b-969b32e10599Kipland Iles<p>[quote user=&quot;dirkkotte&quot;]the flood protection drop packets before these reach the packetfilter/statefull engine/NAT engine/... to protect the system[/quote]</p> <p>Thanks <a href="/members/dirkkotte">dirkkotte</a>. That explains the IPS logging. Will want to read <a href="/members/balfson">BAlfson</a>&nbsp;packet flow explanation.</p> <p>Part of the reason for reaching out on this is that we incurred some additional bandwidth usage charges at the datacenter because of these DDOS attacks. I noticed that our WAN bandwidth usage dropped significantly after applying the new firewall rule but that does not stop the attackers from trying and being turned away. It apparently keeps IPS busy, as well. Perhaps some adjustment to IPS will help prevent them from coming back for more - similar to Fail2Ban that I use on my load balancers.</p><div style="clear:both;"></div>https://community.sophos.com/thread/324141?ContentTypeID=1Wed, 01 Mar 2017 01:07:24 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:62563cc0-2c65-4819-bf8e-aeff5e674956dirkkotte<p>the global policy settings are necessary for the snort engine.</p> <p>IPS pattern use packet direction&nbsp; &quot;out-&gt;in&quot;&nbsp;&nbsp; &quot;in-&gt;in&quot;&nbsp;&nbsp; &quot;in-&gt;out&quot;&nbsp; to check the applicability of a rule.</p> <p>the flood protection drop packets before these reach the packetfilter/statefull engine/NAT engine/... to protect the system.</p> <p>Bob (BAlfson) has a great explanation of packet flow. But i have the link at the moment.</p> <p>&nbsp; &nbsp;</p><div style="clear:both;"></div>