Sophos UTM v9 Intrusion Prevention and Creating Exceptions


Sophos UTM v9 Intrusion Prevention and Creating Exceptions



Sophos’ Astaro firewall appliances and UTMs can come with a variety of configurable features, such as intrusion prevention, web security, and mail security.  Some of these features, such as intrusion prevention, utilize open source technologies, such as Snort (, an open source network intrusion prevention and detection system.

The Problem

After a fairly recent upgrade for a client, it was reported that some downloads were getting dropped. Additionally, it was discovered that the Windows FTP client would time out and could no longer access the client’s public FTP outside the network. The FTP server was showing that a connection was trying to be established; however a connation could not be completed. Oddly enough, 3rd party FTP clients, such as FileZilla, could still access the public FTP.

Identifying the Issue 

One of the nice things about the Astaro firewall appliance’s/UTM’s is that a live log of a specific feature can be viewed. Since connections were dropping (note in my photo that ‘Drop silently’ is selected), I decided to take a look at the intrusion prevention.

After opening up the logs and I initiated the download again. Since I did not know the IP address of the place I was trying to get my download from (SourceForge in this case), I ran an ipconfig in a command prompt so I would know what information I would need. Here is the code that was returned:

2013:01:09-17:23:13 astarofirewall-01-1 snort[28656]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt" group="500" srcip="" dstip="" proto="6" srcport="80" dstport="51436" sid="24229" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

In my example, there are 3 pieces of information I care about:

  • Where I am downloading from, the srcip (source ip): 
  • Where I’m trying to download to, the dstip (destination ip):
  • The sid (Snort rule): 24229

Note: The ‘live log’ will not have syntax highlighting. An example has been provided below.

Adjusting Intrusion Prevention Rules

Before I made adjustments to any rules, I went to Snorts website to research the rule in question. In this particular case, Snort already changed their own default rules on 9/21/2012…

  • Step 1: Next, I went to Network Protection > Intrusion Prevention > Advanced 
  • Step 2: Click on the ‘Plus sign to add the new exception
  • Step 3: Add the rule id found from sid.
  • Step 4: Check ‘Disable this rule’

The rule will now appear as disabled in the ‘Modified rules’ list.

Verify that the download is now working correctly.

Note: There are occasions where certain file extension can flag several rules, however may be difficult to flush out as successive rules may not show up in the ‘live log’ until you disable the first rule that is getting flagged.

KeepWatch by InterWorks

Whether you need support for one platform or many, our technical experts have you covered.

More About the Author

Ideen Jahanshahi

Solutions Architect
Veeam NAS Backup: Integrating with Dell EMC Isilon Those of us who have been in the backup realm a long time remember when Veeam Backup and Replication (Veeam B&R) was one of the top ...
The InterWorks Approach to Great Consulting: Part 3 If you’ve been following along, you know that this blog miniseries is all about dissecting the shared traits that some of my most ...

See more from this author →

InterWorks uses cookies to allow us to better understand how the site is used. By continuing to use this site, you consent to this policy. Review Policy OK


Interworks GmbH
Ratinger Straße 9
40213 Düsseldorf
Geschäftsführer: Mel Stephenson

Telefon: +49 (0)211 5408 5301

Amtsgericht Düsseldorf HRB 79752
UstldNr: DE 313 353 072


Love our blog? You should see our emails. Sign up for our newsletter!