New Suggested 7/23/2024 by Pol Balaguer

1

votes

Sophos IPS Log Messages: Anomaly - Removed the urgent flag and pointer in TCP header / Enforces IPS protection

https://community.sophos.com/sophos-xg-firewall/f/discussions/143386/ips-log-messages-anomaly---removed-the-urgent-flag-and-pointer-in-tcp-header-enforces-ips-protection

For some time, we get the following IPS Log Messages:

Example 1

2024-01-16 12:12:20 IPS messageid="06001" log_type="IDP" log_component="Anomaly" log_subtype="Detect" ips_policy="" ips_policy_id="0" fw_rule_id="140" fw_rule_name="x1" fw_rule_section="Local rule" user="xxx@xxx.de" sig_id="1" message="Removed the urgent flag and pointer in TCP header" classification="Potentially Bad Traffic" rule_priority="2" src_ip="10.20.30.25" src_country="R1" dst_ip="172.16.16.142" dst_country="R1" protocol="TCP" src_port="64642" dst_port="1521" OS="All" category="Misc" victim="All"


Source is an internal Client PC with our Software Application using Oracle Client to access your internals Oracle DB Server as destination. All internal / LAN Traffic.

Example 2


2024-01-16 13:05:01 IPS messageid="06001" log_type="IDP" log_component="Anomaly" log_subtype="Detect" ips_policy="" ips_policy_id="0" fw_rule_id="137" fw_rule_name="x2" fw_rule_section="Local rule" user="" sig_id="1" message="Removed the urgent flag and pointer in TCP header" classification="Potentially Bad Traffic" rule_priority="2" src_ip="172.16.16.142" src_country="R1" dst_ip="10.20.1.11" dst_country="R1" protocol="TCP" src_port="51806" dst_port="1521" OS="All" category="Misc" victim="All"

Source is an Oracle DB Server accessing another Oracle DB Server. All internal / LAN Traffic.

Settings

Intrusion prevention -> IPS policies -> IPS protection: ON

Firewall Rule 140 and 137 has IPS disabled (none) as it is internals Traffic.

Why is IPS still active, and how can I prevent it from messing with my Traffic?

https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/IntrusionPrevention/IPSPolicies/index.html#turn-on-ips-protection
From the online help, it is not clear to me what "IPS protection: ON" does. Help says "IPS switch ON = Enforces IPS protection". But does is mean IPS is always ON no matter how the Firewall Rule IPS Setting is configured? Looks like it.
Further helps says: IPS switch: Off -> Doesn’t update signatures. You can add IPS policies to rules (example: firewall rules). ? So than I can change IPS by Firewall Rule but don't get signature update?

SFOS 19.5.3 MR-3-Build652



Log in to comment...
get help Get help for this page