topic Re: Attack detected by IPS: TCP Urgent Data Enforcement in Spark Firewall (SMB)

Attack detected by IPS: TCP Urgent Data Enforcement

G_W_Albrecht — Fri, 25 Oct 2019 08:20:19 GMT

Testing the WatchTower App, Statistics page started showing a strange attack:

But IPS Protections do not include this attack ! But we have an SK to the rescue: sk36869 "TCP segment with urgent pointer. Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog

This includes a hint for Locally Managed 600 / 700 / 1100 / 1200R / 1400 appliances - and look where this is hidden:

It is the TCP streaming engine, stupid 😅 !

Re: Attack detected by IPS: TCP Urgent Data Enforcement

PhoneBoy — Sun, 27 Oct 2019 00:15:32 GMT

As you probably know, some IPS signatures are actually lower-level firewall checks.
On regular R80.x gateways, these would be in Inspection Settings or even Core Protections.

Re: Attack detected by IPS: TCP Urgent Data Enforcement

leonarit — Mon, 06 Feb 2023 13:11:17 GMT

I'm having an issue related to the "TCP segment with urgent pointer" protection, I have an app that's using the rlogin protocol on an non default port.

Does anyone knows if it's possibly make an exclusion for this core protection on the SMB firewalls? We are using an 1800 (R81.10 (996000575)), since this protection it's not directly related to the IPS blade I can't create an exception for it.

The log mentions the sksk36869, but this sk only explains how to change the fw to not strip the tcp urgent flag.

I would like to keep that protection active and make only an exception for the required flow.

Re: Attack detected by IPS: TCP Urgent Data Enforcement

Chris_Atkinson — Mon, 06 Feb 2023 13:53:44 GMT

I think in the context of locally managed devices atleast you only have the option of Detect vs Prevent here (for this protection in Advanced settings). Nothing I can find in the CLI or Web UI suggests differently unfortunately.

Re: Attack detected by IPS: TCP Urgent Data Enforcement

PhoneBoy — Mon, 06 Feb 2023 16:18:03 GMT

You should be able to apply the require change for the specific port in $FWDIR/lib/user.def on the SMB appliance for the specified port (which you say is non-standard).
The (undocumented) command fw_configload can be used to recompile the policy with this change.

For an exception that can be configured via the WebUI, this is quite likely an RFE.

Re: Attack detected by IPS: TCP Urgent Data Enforcement

leonarit — Tue, 07 Feb 2023 14:28:19 GMT

Thanks for the information, I noticed that in the sk36869 it says:

Procedure for Locally Managed Quantum Spark appliances with Gaia Embedded OS

Connect to the Gaia Portal on the appliance.
Go to the "Device" tab.
Click "Advanced Settings".
Search for "Streaming Engine Settings".
Change the value of "TCP Urgent Data Enforcement" from "prevent" to "detect"

Despite that information I tried to configure the user.def but it didn't work, the fw still classifies the tcp port an attack.

#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

tcp_urgent_ports_user={<6400;URGENT_DATA_INLINE>};

#endif /* __user_def__ */

It seems I will have to keep the global TCP Urgent Data Enforcement protection disabled.

Re: Attack detected by IPS: TCP Urgent Data Enforcement

G_W_Albrecht — Tue, 07 Feb 2023 15:34:26 GMT

This is not possible as it is the same Advanced Setting as above: sk36869 mentions TCP Urgent Data Enforcement - setting this to detect should be the solution, but exclusion is not possible. You can ask TAC, though...

Re: Attack detected by IPS: TCP Urgent Data Enforcement

PhoneBoy — Tue, 07 Feb 2023 16:22:59 GMT

Did you execute fw_configload after making the change and wait a few minutes before trying?

Re: Attack detected by IPS: TCP Urgent Data Enforcement

leonarit — Tue, 07 Feb 2023 16:31:38 GMT

Yes, I did run the fw_configload command and the policy was loaded without any errors.

After some minutes I also changed the advanced settings " TCP Urgent Data Enforcement " from detect to prevent and the test was done after 5 minutes since the last policy change.

I'm assuming the changes made from the webgui call the fw_configload to load the policy, and the changes in the user.def are also reflected in the policy installed.

Re: Attack detected by IPS: TCP Urgent Data Enforcement

PhoneBoy — Tue, 07 Feb 2023 18:42:55 GMT

Yes, when you make changes in the WebUI that require access policy changes, they will be compiled and installed in the background.
I believe "fw stat" will actually confirm the last time the policy was compiled/installed.