IPS - Block HTTP Non Compliant

D_W · ‎2024-06-24

Hi Mates,

how can I check why this Debian APT download is blocked via IPS?

I only have this with two clients. Others have no issue.

Cheers,
David

_Val_ · ‎2024-06-24

Probably it's best to investigate with TAC

the_rock · ‎2024-06-24

Hey David,

Couple of questions:

1) What IPS profile is used in TP policy?

2) Considering this is critical, I assume thats why its blocked...have you tried adding an IPS exception if you know its 100% legit?

Andy

D_W · ‎2024-06-25

1) Custom Policy

2) when I let them proxy the traffic via our squid proxy then the IPS is allowing this traffic. Also other Linux Servers downloading these packages have no issue. Only two specific Linux Systems that run this apt-get command via Docker Container have this issue.

I will go ahead with the TAC 🙂

Lesley · ‎2024-06-25

Indeed this will be a TAC case. Reason I think why it works via proxy is because then the proxy will set up the connection and will download the packages.

Best is to make a packet capture on the gateway and if possible on client. The packet capture in the logs is sometimes not enough for TAC.

You can try without but i think it makes life more easy for the TAC engineer.

You are lucky it is HTTP, if it is HTTPS we needed to share a decrypted packet capture for TAC.

-------
If you like this post please give a thumbs up(kudo)! 🙂

Are you a member of CheckMates?

IPS - Block HTTP Non Compliant