This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reset outside window - false alarm?

I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3



This thread was automatically locked due to age.
Parents
  • We are getting thousands of these per day as well. I suspect it was affecting functionality on some of the sites our users visit. They were complaining of intermittent time-outs. Support was able to change IPS to "detect" versus "drop" somehow in the CLI even though IPS was diasabled on the rules in question. He seemed to realize quickly it was a known issue and escalated my case after grabbing some logs. v17.1.3 MR-3

  • Any chance you can post the rule responsible for this?  I can't seem to find it.

  • Hi  

    [Update] This KBA has been published for this issue.

    Regards,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • That was part of the issue that was frustrating. Even if an IPS policy wasn't applied to the firewall rule in question it would still interfere with traffic and the user would experience time-outs on business critical websites, etc. So basically it's buggy IPS in itself generating 250,000+ "reset outside window" events AND the bugged IPS it's being applied when it shouldn't be.

     

    Support was able to change IPS to "alert" versus "drop" in the CLI and that got users going again but they've since escalated the case to the "global escalation specialists". Obviously we want IPS working as intended so it's only a workaround.

     

    Some other potential false positives with IPS we see with possible effects on legit traffic:
    "Data sent on stream after TCP Reset received" = 40,000+ times/day
    "TCP Timestamp is missing" = 10,000+ times/day
    "...Lets Encrypt SSL cert.." = 5000+ times/day

    We have about 250 users at this location.

    Will update as we find more.

  • I am getting these as well, I did follow the KB, what confusing me is I am on XG105w 17.5.3 MR-3.  So I would think Sophos would have fixed this by now without me having to use the KB.  Since they still have the KB in place and are not sending the fix out with the latest release I am assuming that this is not completely fixed and the KB is a workaround until Sophos can figure out why there are so many false postives?  

     

    What I am looking for here is why was it enabled in the first place and what threats am I exposing the network too if I disable it?

    Respectfully, 

     

    Badrobot

     

Reply
  • I am getting these as well, I did follow the KB, what confusing me is I am on XG105w 17.5.3 MR-3.  So I would think Sophos would have fixed this by now without me having to use the KB.  Since they still have the KB in place and are not sending the fix out with the latest release I am assuming that this is not completely fixed and the KB is a workaround until Sophos can figure out why there are so many false postives?  

     

    What I am looking for here is why was it enabled in the first place and what threats am I exposing the network too if I disable it?

    Respectfully, 

     

    Badrobot

     

Children
  • Hey  

    The fix to this issue was the setting being disabled by default starting with SFOS v17.1.4 MR-4, so I apologize as it seems this did not occur for you.

    As I mentioned previously:

    • This specific IPS signature has been disabled by default, starting with SFOS v17.1.4 MR-4 due to customers experiencing excessive false-positives.

      These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.

      Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.

    Please continue to monitor and let me know if you run into any further issues.

    Regards,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • It is not true that TCP anomalies is disabled starting with SFOS v17.1.4 MR-4, at least on my Sophos Home machine.

    I fresh installed it using 17.5.6 MR-5 ISO without loading any previous backup. It is automatically updated to MR6 when I active the license.

    Login to console and found that "var DETECT_ANOMALIES" is set to "yes"

    console> show ips_conf
    config stream 1
    config maxsesbytes 0
    config stdsig 1
    config qnum 10
    config maxpkts 8
    config disable_tcpopt_experimental_drops 0
    config enable_appsignatures 1
    var SEARCH_METHOD ac-q
    var SIP_STATUS enabled
    var IGNORE_CALL_CHANNEL enabled
    var TCP_POLICY windows
    var LOCAL_RULE local.rules
    var DETECT_ANOMALIES yes
    var TCP_BLOCK block
    config failclose off
    config cpulist 0:1

    Run suggested command to disable anomalies detection:

    console> set ips tcp_option detect_anomalies disable

     

    Check the ips_conf again var DETECT_ANOMALIES" is set to "no"


    console> show ips_conf
    config stream 1
    config maxsesbytes 0
    config stdsig 1
    config qnum 10
    config maxpkts 8
    config disable_tcpopt_experimental_drops 0
    config enable_appsignatures 1
    var SEARCH_METHOD ac-q
    var SIP_STATUS enabled
    var IGNORE_CALL_CHANNEL enabled
    var TCP_POLICY windows
    var LOCAL_RULE local.rules
    var TCP_BLOCK nblock
    config failclose off
    config cpulist 0:1
    var DETECT_ANOMALIES no

  • The bug still didn't fix in V17.5.6 MR-6.
    User need to fix it with the console command...