Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
RichBaldry Is Sophos aware of and working on this?
https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-modbus-ot-preprocessor/
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-9D3hJLuj
Under 58906, 58907 on the ID.
Astaro IPS Rules
XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SSD HDD | GB Ethernet x5
Well I tried to reply to this topic, but my reply was actually being moderated and labeled as 'spam'.
At any rate, let's see if this works - IPS rules has two listings for it. Astaro IPS Rules
Thanks for the info! Unfortunately the Snort site doesn't have details on the two IDs. I'm afraid that the Snort software itself needs to be updated by/on Sophos though. I currently see Snort Version 2.9.17.1 on a 9.710-1 Sophos UTM. I found this interesting link which states that the Snort engine can be delivered by Sophos via the pattern updates. That's why I tried to ask RichBaldry here.
You should create a Support Case to get this answer.
__________________________________________________________________________________________________________________
Yes this is on our radar and we are working on a patch for the current snort engine. In the meantime, the risk of this being used by an external attacker is virtually eliminated by blocking inbound TCP connections on TCP port 502.
Thank you! Publicly here in the Sophos Community the info should be useful for the time being.