This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Exception not working

Hi,

I have problems with IPS in UTM, the UTM handles IPSEC traffic with VEEAM backup and Replication, and triggers this:

2019:09:10-02:55:51 mail-2 snort[13000]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-OTHER Ransomware SamSam variant detected" group="500" srcip="192.168.11.20" dstip="192.168.10.31" proto="6" srcport="902" dstport="53906" sid="48814" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2019:09:10-02:58:23 mail-2 snort[13000]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-OTHER Ransomware SamSam variant detected" group="500" srcip="192.168.11.20" dstip="192.168.10.31" proto="6" srcport="902" dstport="53946" sid="48814" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
 
192.168.11.20 is a VMWARE ESXi server
192.168.10.31 is a Veeam Server (Windows)
 
I have added this exception in the affected UTM:
 
But nothing helps :-(
 


This thread was automatically locked due to age.
Parents
  • Hey Martin,

    from which log files is that error?

    "A Network Trojan was Detected" isnt that kind of warning which you should ignore and easly add an exception for it. =/

    Sometimes it can help to restart the IPS module cause some exceptions only will be used after the affected for new connections I believe.

     

    Greetings,

    Flo

  • Hi Flo,

     

    From IPS log:

     

    "sub="ips"

    Triggerede ADv. protection alerts

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer v9.7
    Sophos  XG  Certified Architect v18.0
    Homelab: 2 x SG210 XG v18 (HA A/P) - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

Reply
  • Hi Flo,

     

    From IPS log:

     

    "sub="ips"

    Triggerede ADv. protection alerts

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer v9.7
    Sophos  XG  Certified Architect v18.0
    Homelab: 2 x SG210 XG v18 (HA A/P) - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

Children
No Data