Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Horne
Advisor

Bypassing IPS Protections - MySQL

Hello,

I am a bit of the Threat Protection / IPS newbie.  I have done a bit of a search for this issue, but I do not find something matching

There is a service definition for MySQL that matches TCP port 3306. We have an SAP application that is also using TCP port 3306, but not for MySQL.  This was triggering an IPS event that was in "prevent" and was blocking the traffic:

IPS Event

Note: I have managed to enter a global exception for the destination server so that the action is only "detect".

I would like to have no MySQL traffic to be able to use TCP port 3306 without triggering this protection. I cannot directly create an exception like I have for other IPS protection based on source and destination etc. I get the following:

The protection details in the log do not provide any helpful information about what is actually being triggered:

The only IPS protection that I find that seems to match is "General Settings"

When I look at the details of this protection, the only thing I can do is to change the port associated with MySQL:

I could change port associated with MySQL for the IPS, but I do not want to do this for three reason:

  1. I might want the IPS to detect SQL traffic when it is suing the default port.
  2. Changing the port, will just move the same problem to a different port, that might eventually block another application.
  3. This doesn't seem like the "best practices" solution to the problem.

It appears to me that the IPS is assuming the traffic is MySQL based on the TCP port and the applying a protocol analysis / validation based on this.

For this application I have a known / single source and a known / single destination and ideally I would like to disable this protection for this particular source / destination pair.

The only IPS protection that might match this is call "non compliant MySQL".

I do no know if adding a protection for this will help or not. If this was the IPS protection was involved. I would have expected the original log message would have mentioned this in the protection details.

At the moment I have added an exception for the destination server as the "protected Scope" that has an action of "Detect", but as I cannot match the protection "My SQL - General Settings", I have had to set "Detect" for all IPS detections for the destination host.

7 Replies
Vladimir
Champion
Champion

You can try narrowing the exception down by:

And being a lot more specific with source, destination and service port.

0 Kudos
Michael_Horne
Advisor

Hi,

Thanks for the reminder, I keep forgetting about the columns that are hidden by default. I can narrow down my exception for the host based on the service.

Many thanks,

Michael

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This is hard if you have MySQL Servers on your site that need to be accessed thru the GW. Otherwise, you can deactivate the protection completely...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Michael_Horne
Advisor

Hi,

One of the reasons for deploying the Security gateways is for network segregation and also for traffic visibility. At the moment they are not fully aware of all the traffic flowing on the LAN environment. If we discover that there is no MYSQL we can do this. The risk being that later someone deploys a MySQL server without notifying anyone.

Many thanks,

Michael

0 Kudos
PhoneBoy
Admin
Admin

Why don't you use a different profile for that server that doesn't include the appropriate signature? 

In other words, create another rule just for the affected server? (Put it in the Protected Scope)

Michael_Horne
Advisor

Hi,

This would work, but it my opinion that this is "slippery slope" that I do not want to start walking one.  Once we have a dedicated profile for one server we might easily start adding customized profiles for other servers. then I am drowning in profiles.

A customized profile just for the server was one option that I did not think about. So thanks for mentioning. Options are always good when looking for a solution!

Many thanks,

Michael

0 Kudos
Mike_Jensen
Advisor

I am having the same issue with one server.  Are we sure that the protection preventing traffic is the "Non compliant MySQL" one?  I also see the Threat Cloud "MySQL - General Settings" protection and the only thing I can change is the port number like you mentioned, I don't seem to have an option to set it to detect, inactive, etc.  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events