Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 10877 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort Exclusion not working

ThomasRottig

Hi,

 

I am trying to run speedtests via speedtest_cli on one of my boxes to regularly check the actually available speed my ISP provides.

Now the download speed is limited by my Sophos UTM box (9.510-4) by snort going to 100%. If I turn off IPS I get 400 MBit down as expected, with IPS on I am limited to 120MBit.

So since I have absolutely no idea which rule the speedtest triggers (and no idea how to identify it) I wanted to go the easy way and added an exclusion rule for my box (both ways):

Unfortunately despite this my speed is still limited by snort which I can easily verify by turning off IPS again.

Any idea why this would not work? Or an idea how to debug the IPS to find why it won't work? Or how to debug to find the rule that triggers on speedtest so I can turn that off?

 

Many hanks,

regards,

Thomas



This thread was automatically locked due to age.
Parents
  • 0

    Hi Thomas,

    when reviewing the IPS logs what do you see and what is shown in the daily reports? When looking at the Dashboard do you see indications of high packet counting the IPS?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    there is nothing in the log except normal snort reload messages.  I have not found how to turn on debugging for IPS yet, maybe that would give an indication.

    Not sure where I'd see connections on the dashboard, but the daily report is as follows:

     

    After the next run:

    That did not change which kind of implies that the host is excluded after all but its not (or only partially). O/C it could also mean that its not using data up until the moment the report is triggered but to an earlier time (midnight?), not sure about that.

     

    Any other ideas?

     

    Thanks,

    regards,

    Thomas

  • 0 in reply to ThomasRottig

    Your Exception is incorrect. 

    Check out the Online Help:

    Note – If you want to make an intrusion prevention exception for packets with the destination address of the gateway, selecting Any in the Destinations box will not succeed. You must instead select a definition that contains the gateway's IP address, for example the Internal (Address) or the external WAN address.

    Note – If you use a Sophos UTM proxy, an intrusion prevention exception has to reflect this: A proxy replaces the original source address of a packet with its own address. Thus, to except intrusion prevention for proxied packets, you need to add the appropriate interface address definition of Sophos UTM to the source Networksbox.

     

    Basically you are using ANY because it is Server to Any or Any to Server. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi,

    Thanks but I don't understand why this would be applicable to my situation. The box I am excepting is not the gateway, it's just a box in the network which is identified by hostname or ip.

    Could you elaborate? 

    Thanks

    Regards Thomas

  • 0 in reply to ThomasRottig

    Do you use the Proxy in UTM ? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Transparent  so I didn't think it would be applicable?

    Or is it?

Reply Children
No Data
Unfiltered HTML