Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend Legend
Legend

Attack detected by IPS: TCP Urgent Data Enforcement

Testing the WatchTower App, Statistics page started showing a strange attack:

UrgentData.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

But IPS Protections do not include this attack ! But we have an SK to the rescue: sk36869 "TCP segment with urgent pointer. Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog

This includes a hint for Locally Managed 600 / 700 / 1100 / 1200R / 1400 appliances - and look where this is hidden:

TCP streaming engine.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

It is the TCP streaming engine, stupid 😅 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
9 Replies
PhoneBoy
Admin
Admin

As you probably know, some IPS signatures are actually lower-level firewall checks.
On regular R80.x gateways, these would be in Inspection Settings or even Core Protections.
0 Kudos
leonarit
Contributor

I'm having an issue related to the "TCP segment with urgent pointer" protection, I have an app that's using the rlogin protocol on an non default port.

Does anyone knows if it's possibly make an exclusion for this core protection on the SMB firewalls? We are using an 1800 (R81.10 (996000575)), since this protection it's not directly related to the IPS blade I can't create an exception for it.

The log mentions the sksk36869, but this sk only explains how to change the fw to not strip the tcp urgent flag.

 

I would like to keep that protection active and make only an exception for the required flow.

 

TCP Urgent.png

0 Kudos
Chris_Atkinson
Employee Employee
Employee

I think in the context of locally managed devices atleast you only have the option of Detect vs Prevent here (for this protection in Advanced settings). Nothing I can find in the CLI or Web UI suggests differently unfortunately.

CCSM R77/R80/ELITE
PhoneBoy
Admin
Admin

You should be able to apply the require change for the specific port in $FWDIR/lib/user.def on the SMB appliance for the specified port (which you say is non-standard).
The (undocumented) command fw_configload can be used to recompile the policy with this change.

For an exception that can be configured via the WebUI, this is quite likely an RFE.

(1)
leonarit
Contributor

Thanks for the information, I noticed that in the sk36869 it says:

Procedure for Locally Managed Quantum Spark appliances with Gaia Embedded OS

  1. Connect to the Gaia Portal on the appliance.

  2. Go to the "Device" tab.

  3. Click "Advanced Settings".

  4. Search for "Streaming Engine Settings".

  5. Change the value of "TCP Urgent Data Enforcement" from "prevent" to "detect"

Despite that information I tried to configure the user.def but it didn't work, the fw still classifies the tcp port an attack.

#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

tcp_urgent_ports_user={<6400;URGENT_DATA_INLINE>};

#endif /* __user_def__ */

 

It seems I will have to keep the global TCP Urgent Data Enforcement protection disabled.

0 Kudos
PhoneBoy
Admin
Admin

Did you execute fw_configload after making the change and wait a few minutes before trying?

0 Kudos
leonarit
Contributor

Yes, I did run the fw_configload command and the policy was loaded without any errors.

After some minutes I also changed the advanced settings " TCP Urgent Data Enforcement " from detect to prevent and the test was done after 5 minutes since the last policy change.

I'm assuming the changes made from the webgui call the  fw_configload to load the policy, and the changes in the user.def are also reflected in the policy installed.

0 Kudos
PhoneBoy
Admin
Admin

Yes, when you make changes in the WebUI that require access policy changes, they will be compiled and installed in the background.
I believe "fw stat" will actually confirm the last time the policy was compiled/installed. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This is not possible as it is the same Advanced Setting as above: sk36869 mentions TCP Urgent Data Enforcement - setting this to detect should be the solution, but exclusion is not possible. You can ask TAC, though...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events