This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS against Skype for Business (on prem at customer site)

Hi everyone,

we are having issues with the customers skype for business (still on prem) because of IPS.

After a while the voice stops and our users at the office (it is working from home or data plan) cannot voip anymore.

The IPS log shows the IP(s) of the customer and UDP flood.

As i do not know which customers use what IP, i cannot (and i don't wanna) configure all IPs (ranges are not working)  in IPS exceptions. Is there an easy way (without disabling UDP flooding) to accomplish good voice quality for everyone?

Or can i whitelist "german or some european countries" for UDP flooding?

Log entry where 213.95.x is the customers skype server

2021:11:17-14:10:56 fw3str-1 ulogd[35793]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth5" srcmac="3c:13:cc:53:df:80" dstmac="00:1a:8c:f0:4e:65" srcip="213.95.x" dstip="62.96.x" proto="17" length="650" tos="0x00" prec="0x00" ttl="122" srcport="53916" dstport="20388"

BR

Stephan



This thread was automatically locked due to age.
Parents
  • Hallo Stephan,

    Usually, Amodin is spot on, but only his second suggestion can work.  To narrow down what you might need there, show us what result you get from the following commands:

    • zgrep '"UDP flood"' /var/log/ips/2021/11/*|grep -oP 'srcip=".*?"'|sort -n|uniq -c|sort -n
    • zgrep '"UDP flood"' /var/log/ips/2021/11/*|grep -oP 'dstip=".*?"'|sort -n|uniq -c|sort -n
    • zgrep '"UDP flood"' /var/log/ips/2021/11/*|grep -oP 'dstport=".*?"'|sort -n|uniq -c|sort -n

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I bow to your wisdom, Bob.  Smiley

    I wasn't sure of it myself, but used that tactic for a bit in the past with oddities and usually end up deleting that modification a few days after using it.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Yeah, rule 60013 is the fwrule ID in the Firewall log (ulogd) for dropping a packet that's part of a UDP Flooding attempt.

    The 'Manual Rule Modification' is for Snort IDs found in the Intrusion Prevention log, sid="#####".

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Yeah, rule 60013 is the fwrule ID in the Firewall log (ulogd) for dropping a packet that's part of a UDP Flooding attempt.

    The 'Manual Rule Modification' is for Snort IDs found in the Intrusion Prevention log, sid="#####".

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data