Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 6114 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exception for IPS/SNORT when transferring files to/from local lan to/from VPN client

Jay Jay

I notice when copying files to/from a remote client connected with SSL (openvpn) or l2tp/ipsec top reports high snort cpu. 

I've been trying to figure out how to properly formulate an exception but have been unsuccessful.

Internal_port2 = local lan (behind utm)
VPN Pool (SSL) = IP pool assigned to openvpn client

I can turn off ips entirely which will disable any snort scans but I'd like to leave it enabled but ignore this type of traffic.

Of course nothing shows up in the ips log because it's not detecting anything intrusive/malicious.  Unlike firewall port blocking I've found no way to observe what it's actually scanning so I can apply the proper exception.

 

Thanks!



This thread was automatically locked due to age.
  • 0

    "Windows Networking" doesn't include SMB, TCP 445, necessary for file sharing.  What happens if you add the "CIFS" Service to your Exception?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob,

    That's already part of windows networking services group.

     

  • 0 in reply to Jay Jay

    What else in in that group?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Cifs reversed is the same as cifs but with the source/destination reversed.

    I just tested this again, and it's working!@#

    No changes have been made in the exception rule or definitions. 

    The only recent change was a system reboot this morning.  While probably not required I'll typically reboot it about once a month.

    We'll have to wait and see if this sticks after a few weeks or later in the month.

    As odd as it sounds i've seen system reboots fix all sorts of odd behavior in other platforms. 

Unfiltered HTML