This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS triggering on UTM VM backup

Hi folks,

A quick one, I'm trying to backup an UTM VM over IPsec. It works fine although I've had to modify two IPS signatures; 48812 & 48814 (which i've set to alert only).

Based on the IPS notification, I would appreciate if anyone could give me a hint at how to make a correct exclusion for that backup traffic, effectively excluding it from all IPS scanning. I suspect the local snort DB itself transiting on the wire and false positively triggering IPS.

I've tried to make a service entry with source port 902 / dst port 1:65535 and excluding IPS on that service although this fails.

Thanks for any inputs.


Message........: MALWARE-OTHER Ransomware SamSam variant detected
Time...........: 2020-05-23 06:08:31
Packet dropped.: no
Priority.......: high
Classification.: A Network Trojan was Detected
IP protocol....: 6 (TCP)
Source IP address: (
Source port: 902 (ideafarm-chat)
Destination IP address:
Destination port: 26135


This thread was automatically locked due to age.
  • Hi Mokaz,

    Please show us a representative line from the Intrusion Prevention log.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Out of curiosity, what backup technology (Or product) is used for that? And in addition to the request from Bob, maybe show a screenshot of your IPS exclusion.

    Best regards