Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

Advanced Threat Protection left system down

February 19, 2015, 6:27 am
$
0
0
I had a friend bring over a PC for me to do a virus removal on. I wasn't thinking when I plugged it into my network. I fixed his PC by simple means. He went on his way. My system was left in chaos. I have tons of logs (below is just a sample) and I cannot connect outside the network. Everything is locked down. I thought it was from the ATP freaking out over what it found. This is a false positive situation. Any help would be appreciated.

"Hello Patrick

The UTM's ATP does not block whole hosts...it only blocks known bad connections. Everything else should work as expected. If you don't have access to internet, its something else. Maybe non working DNS, missing proxy and/or Masquerading rule, missing packetfilterrule, wrong / missing default gateway on affected system, wrongly enterend proxy settings in the web browser, somethings broken in the registry after cleanup etc.

However, ATP will not totally block connections from clients with ATP blocked traffic.

The red head from ATP will disappear after 72h after last trigger, but this is only cosmetic and should not shield a complete source host from internet access...

/Sascha "

logs:

1.8mb in system messages
-----------------------------------------------------------------------------------------------------
7.5mb in web filtering
------------------------------------------------------------------------------------------------------
3.5kb in User authentication daemon
------------------------------------------------------------------------------------------------------
SMTP proxy

C2/Generic-A



2015:02:18-00:01:02 sophos /usr/sbin/cron[31634]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_feedback_uploader)
2015:02:18-00:02:01 sophos /usr/sbin/cron[31692]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2015:02:18-00:04:01 sophos /usr/sbin/cron[31823]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-00:05:01 sophos /usr/sbin/cron[31864]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-00:07:01 sophos /usr/sbin/cron[32295]: (root) CMD (/sbin/audld.plx --trigger)
2015:02:18-00:10:02 sophos /usr/sbin/cron[32468]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-00:10:02 sophos /usr/sbin/cron[32471]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-00:14:01 sophos /usr/sbin/cron[32652]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-00:15:01 sophos /usr/sbin/cron[32700]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-00:16:01 sophos /usr/sbin/cron[311]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_feedback_uploader)
2015:02:18-00:17:01 sophos /usr/sbin/cron[365]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2015:02:18-00:20:01 sophos /usr/sbin/cron[509]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-00:20:01 sophos /usr/sbin/cron[512]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-00:22:01 sophos /usr/sbin/cron[954]: (root) CMD (/sbin/audld.plx --trigger)
2015:02:18-00:24:01 sophos /usr/sbin/cron[1097]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-00:25:01 sophos /usr/sbin/cron[1135]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-00:30:01 sophos /usr/sbin/cron[1343]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-00:30:01 sophos /usr/sbin/cron[1344]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-00:31:01 sophos /usr/sbin/cron[1435]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_feedback_uploader)
2015:02:18-00:32:01 sophos /usr/sbin/cron[1490]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2015:02:18-00:34:01 sophos /usr/sbin/cron[1596]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-00:35:01 sophos /usr/sbin/cron[1639]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-00:37:01 sophos /usr/sbin/cron[2068]: (root) CMD (/sbin/audld.plx --trigger)
2015:02:18-00:40:02 sophos /usr/sbin/cron[2243]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)

----------------------------------------------------------------------------------------------------------------------------
2015:02:18-00:00:04 sophos smtpd[31216]: Reset password: Connecting to Confd was successful.
2015:02:18-00:00:04 sophos smtpd[31216]: Reset password: Confd returned the expected expiry period: 30 day(s).
2015:02:18-00:00:05 sophos smtpd[31216]: Reset password: Expired passwords successfully deleted.
2015:02:18-00:00:05 sophos smtpd[31211]: Expired letters: Removing letters from SPX Portal that are older than 30 days...
2015:02:18-00:00:05 sophos smtpd[31211]: Expired letters: There was an error while removing expired letters:
2015:02:18-00:01:00 sophos exim-out[31593]: 2015-02-18 00:01:00 Start queue run: pid=31593
2015:02:18-00:01:00 sophos exim-out[31593]: 2015-02-18 00:01:00 End queue run: pid=31593
2015:02:18-00:02:01 sophos exim-out[31683]: 2015-02-18 00:02:01 Start queue run: pid=31683
2015:02:18-00:02:01 sophos exim-out[31683]: 2015-02-18 00:02:01 End queue run: pid=31683
2015:02:18-00:03:00 sophos exim-out[31789]: 2015-02-18 00:03:00 Start queue run: pid=31789
2015:02:18-00:03:00 sophos exim-out[31789]: 2015-02-18 00:03:00 End queue run: pid=31789
2015:02:18-00:04:00 sophos exim-out[31807]: 2015-02-18 00:04:00 Start queue run: pid=31807
2015:02:18-00:04:00 sophos exim-out[31807]: 2015-02-18 00:04:00 End queue run: pid=31807
2015:02:18-00:05:00 sophos exim-out[31850]: 2015-02-18 00:05:00 Start queue run: pid=31850
2015:02:18-00:05:00 sophos exim-out[31850]: 2015-02-18 00:05:00 End queue run: pid=31850
2015:02:18-00:06:00 sophos exim-out[31921]: 2015-02-18 00:06:00 Start queue run: pid=31921
2015:02:18-00:40:02 sophos /usr/sbin/cron[2244]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-00:44:01 sophos /usr/sbin/cron[2431]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-00:45:01 sophos /usr/sbin/cron[2474]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-00:46:01 sophos /usr/sbin/cron[2553]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_feedback_uploader)
2015:02:18-00:47:01 sophos /usr/sbin/cron[2608]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2015:02:18-00:50:01 sophos /usr/sbin/cron[2752]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-00:50:01 sophos /usr/sbin/cron[2753]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-00:52:01 sophos /usr/sbin/cron[3209]: (root) CMD (/sbin/audld.plx --trigger)
2015:02:18-00:54:01 sophos /usr/sbin/cron[3362]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-00:55:01 sophos /usr/sbin/cron[3403]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:00:01 sophos /usr/sbin/cron[3619]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:00:01 sophos /usr/sbin/cron[3631]: (root) CMD ( /usr/local/bin/rpmdb_backup )
2015:02:18-01:00:01 sophos /usr/sbin/cron[3634]: (root) CMD ( /var/chroot-httpd/var/webadmin/extra/httpd_session_cleanup)
2015:02:18-01:00:01 sophos /usr/sbin/cron[3635]: (root) CMD (/sbin/hwclock --systz --utc)
2015:02:18-01:00:01 sophos /usr/sbin/cron[3636]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-01:01:01 sophos /usr/sbin/cron[3763]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_feedback_uploader)
2015:02:18-01:02:01 sophos /usr/sbin/cron[3829]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2015:02:18-01:04:01 sophos /usr/sbin/cron[3938]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-01:05:01 sophos /usr/sbin/cron[3983]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:05:01 sophos /usr/sbin/cron[3984]: (root) CMD (/var/chroot-afc/app_accuracy/scripts/collect.plx)
2015:02:18-01:07:01 sophos /usr/sbin/cron[4437]: (root) CMD (/sbin/audld.plx --trigger)
2015:02:18-01:10:01 sophos /usr/sbin/cron[4621]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:10:01 sophos /usr/sbin/cron[4622]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-01:14:01 sophos /usr/sbin/cron[4804]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-01:15:01 sophos /usr/sbin/cron[4847]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:16:01 sophos /usr/sbin/cron[4925]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_feedback_uploader)
2015:02:18-01:17:01 sophos /usr/sbin/cron[4979]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2015:02:18-01:20:01 sophos /usr/sbin/cron[5127]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-01:20:01 sophos /usr/sbin/cron[5135]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:21:01 sophos /usr/sbin/cron[5235]: (root) CMD (/usr/local/bin/lirm.plx)
2015:02:18-01:22:01 sophos /usr/sbin/cron[5726]: (root) CMD (/sbin/audld.plx --trigger)
2015:02:18-01:24:02 sophos /usr/sbin/cron[6074]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-01:25:01 sophos /usr/sbin/cron[6103]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:30:01 sophos /usr/sbin/cron[6314]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:30:01 sophos /usr/sbin/cron[6318]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-01:30:01 sophos /usr/sbin/cron[6319]: (root) CMD (/usr/local/bin/logcleaner.plx -e)
2015:02:18-01:31:01 sophos /usr/sbin/cron[6424]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_feedback_uploader)
2015:02:18-01:32:02 sophos /usr/sbin/cron[6484]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2015:02:18-01:34:02 sophos /usr/sbin/cron[6588]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-01:35:01 sophos /usr/sbin/cron[6622]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:37:01 sophos /usr/sbin/cron[7056]: (root) CMD ( /var/storage/chroot-pop3/bin/pop3dump.sh)
2015:02:18-01:37:01 sophos /usr/sbin/cron[7057]: (root) CMD (/sbin/audld.plx --trigger)
2015:02:18-01:39:01 sophos /usr/sbin/cron[7313]: (root) CMD (/var/chroot-afc/app_accuracy/scripts/collect.plx popularity)
2015:02:18-01:39:33 sophos postgres[7344]: [3-1] WARNING: pgstat wait timeout
2015:02:18-01:39:50 sophos postgres[7364]: [3-1] WARNING: pgstat wait timeout
2015:02:18-01:39:56 sophos postgres[3712]: [3-1] WARNING: pgstat wait timeout<133>Feb 18 01:40:08 postgres[3712]: [4-1] WARNING: pgstat wait timeout
2015:02:18-01:40:20 sophos postgres[3712]: [5-1] WARNING: pgstat wait timeout
2015:02:18-01:40:01 sophos /usr/sbin/cron[7382]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-01:40:01 sophos /usr/sbin/cron[7383]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:40:08 sophos postgres[7365]: [3-1] WARNING: pgstat wait timeout
2015:02:18-01:40:19 sophos postgres[7391]: [3-1] WARNING: pgstat wait timeout
2015:02:18-01:40:31 sophos postgres[3712]: [6-1] WARNING: pgstat wait timeout
2015:02:18-01:40:44 sophos postgres[3712]: [7-1] WARNING: pgstat wait timeout
2015:02:18-01:40:30 sophos postgres[7402]: [3-1] WARNING: pgstat wait timeout
2015:02:18-01:40:42 sophos postgres[7414]: [3-1] WARNING: pgstat wait timeout
2015:02:18-01:43:10 sophos postgres[7493]: [3-1] WARNING: pgstat wait timeout
2015:02:18-01:43:44 sophos postgres[3712]: [8-1] WARNING: pgstat wait timeout
2015:02:18-01:44:05 sophos /usr/sbin/cron[7527]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-01:44:08 sophos postgres[3712]: [9-1] WARNING: pgstat wait timeout
2015:02:18-01:45:02 sophos /usr/sbin/cron[7577]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:46:01 sophos /usr/sbin/cron[7657]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_feedback_uploader)
2015:02:18-01:47:01 sophos /usr/sbin/cron[7710]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2015:02:18-01:50:01 sophos /usr/sbin/cron[7851]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-01:50:01 sophos /usr/sbin/cron[7852]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-01:52:01 sophos /usr/sbin/cron[8294]: (root) CMD (/sbin/audld.plx --trigger)
2015:02:18-01:54:01 sophos /usr/sbin/cron[8437]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-01:55:01 sophos /usr/sbin/cron[8475]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-02:00:02 sophos /usr/sbin/cron[8688]: (root) CMD ( /usr/local/bin/rpmdb_backup )
2015:02:18-02:00:02 sophos /usr/sbin/cron[8698]: (root) CMD (/sbin/hwclock --systz --utc)
2015:02:18-02:00:02 sophos /usr/sbin/cron[8699]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-02:00:02 sophos /usr/sbin/cron[8694]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-02:00:02 sophos /usr/sbin/cron[8696]: (root) CMD ( /var/chroot-httpd/var/webadmin/extra/httpd_session_cleanup)
2015:02:18-02:01:01 sophos /usr/sbin/cron[8837]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_feedback_uploader)
2015:02:18-02:02:01 sophos /usr/sbin/cron[8892]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2015:02:18-02:04:01 sophos /usr/sbin/cron[8998]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-02:05:02 sophos /usr/sbin/cron[9041]: (root) CMD ( /usr/local<============================================ =============================
2015:02:18-06:41:04 sophos adbs-maintenance[29902]: running count_active_ip.plx
2015:02:18-06:41:05 sophos count_active_ip[30028]: count_active_ip: checking active IP addresses2015:02:18-06:41:05 sophos count_active_ip[30028]: Home use or NTT OEM license detected
2015:02:18-06:41:22 sophos count_active_ip[30028]: Counted IP Addresses: v4: 15 / v6: 0
2015:02:18-06:41:23 sophos count_active_ip[30028]: licensed usage ok: licensed: 50 counted v4: 15 counted v6: 0 enforcement: no
2015:02:18-06:41:23 sophos adbs-maintenance[29902]: finished ADBS maintenance run
2015:02:18-06:44:01 sophos /usr/sbin/cron[30145]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-06:45:01 sophos /usr/sbin/cron[30182]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-06:46:01 sophos /usr/sbin/cron[30271]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_feedback_uploader)
2015:02:18-06:47:01 sophos /usr/sbin/cron[30316]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2015:02:18-06:50:01 sophos /usr/sbin/cron[30442]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-06:50:01 sophos /usr/sbin/cron[30443]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-06:50:59 sophos postgres[30520]: [8-1] ERROR: could not find block containing chunk 0x905dcd8
2015:02:18-06:50:59 sophos postgres[30520]: [8-2] CONTEXT: SQL statement "with upsert (pktcount) as (
2015:02:18-06:50:59 sophos postgres[30520]: [8-3] update pfilter set
2015:02:18-06:50:59 sophos postgres[30520]: [8-4] packets = packets + count
2015:02:18-06:50:59 sophos postgres[30520]: [8-5] where
2015:02:18-06:50:59 sophos postgres[30520]: [8-6] logday = day and
2015:02:18-06:50:59 sophos postgres[30520]: [8-7] srcip = src and
2015:02:18-06:50:59 sophos postgres[30520]: [8-8] (srcid = src_id or (srcid IS NULL and src_id IS NULL)) and
2015:02:18-06:50:59 sophos postgres[30520]: [8-9] dstip = dst and
2015:02:18-06:50:59 sophos postgres[30520]: [8-10] (dstid = dst_id or (dstid IS NULL and dst_id IS NULL)) and
2015:02:18-06:50:59 sophos postgres[30520]: [8-11] svc = service
2015:02:18-06:50:59 sophos postgres[30520]: [8-12] returning packets
2015:02:18-06:50:59 sophos postgres[30520]: [8-13] ) insert into pfilter (
2015:02:18-06:50:59 sophos postgres[30520]: [8-14] logday, srcip, srcid, dstip, dstid, svc, packets
2015:02:18-06:50:59 sophos postgres[30520]: [8-15] ) select
2015:02:18-06:50:59 sophos postgres[30520]: [8-16] day, src, src_id, dst, dst_id, service, count
2015:02:18-06:50:59 sophos postgres[30520]: [8-17] where not exists (select 1 from upsert)"
2015:02:18-06:50:59 sophos postgres[30520]: [8-18] PL/pgSQL function ins_pfilter(date,inet,inet,text,bigint) line 12 at SQL statement
2015:02:18-06:50:59 sophos postgres[30520]: [8-19] STATEMENT: select ins_pfilter($1, $2, $3, $4, $5)
2015:02:18-06:52:01 sophos /usr/sbin/cron[30569]: (root) CMD (/sbin/audld.plx --trigger)
2015:02:18-06:54:01 sophos /usr/sbin/cron[31036]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2015:02:18-06:55:01 sophos /usr/sbin/cron[31078]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-07:00:01 sophos /usr/sbin/cron[31282]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2015:02:18-07:00:01 sophos /usr/sbin/cron[31283]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2015:02:18-07:00:01 sophos /usr/sbin/cron[31284]: (root) CMD ( /usr/local/bin/rpmdb_backup )
2015:02:18-07:00:01 sophos /usr/sbin/cron[31281]: (root) CMD ( /var/chroot-httpd/var/webadmin/extra

--------------------------------------------------------------------------------------------------------------------------


2015:02:18-00:01:34 sophos httpproxy[5420]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.116" dstip="188.190.120.74" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="81" request="0xe1f42000" url="http://i.bandito.org/scrape?info_hash=J%cac%88%99%90%e3%ae%5bf%e8%c9%b9 %e0%00%0c%d1%8eZ%fa" referer="" error="" authtime="0" dnstime="1776" cattime="737131" avscantime="87451" fullreqtime="1686250" device="0" auth="0" ua="Transmission/2.82" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" application="bittorre" app-id="60" content-type="application/octet-stream"
2015:02:18-00:01:38 sophos httpproxy[5420]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.115" dstip="184.169.160.78" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="12" request="0xe1fb6800" url="http://plex.tv/pms/:/ip" referer="" error="" authtime="0" dnstime="205130" cattime="146703" avscantime="16788" fullreqtime="698387" device="0" auth="0" ua="Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4 (.NET CLR 3.5.30729)" exceptions="" category="175" reputation="neutral" categoryname="Software/Hardware" content-type="text/plain"
2015:02:18-00:04:42 sophos httpproxy[5420]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.116" dstip="85.195.119.215" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="42" request="0xdfd8d000" url="http://tracker.trackerfix.com/announce?info_hash=%91%b7%24%07x%d2~%16%16%c3%e7n% b60%3a%b9H%8e%f1%7d&peer_id=-TR2820-ilyb2jv8pxku&port=51413&uploaded=251882549&downloa ded=456275520&left=0&numwant=80&key=2f23719f&compa ct=1&supportcrypto=1&corrupt=262144&event=started" referer="" error="" authtime="0" dnstime="11653" cattime="112313" avscantime="90194" fullreqtime="698369" device="0" auth="0" ua="Transmission/2.82" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" application="bittorre" app-id="60" content-type="text/plain"
2015:02:18-00:05:01 sophos httpproxy[5420]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.116" dstip="85.195.119.215" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="286" request="0xdf8f0800" url="http://tracker.trackerfix.com/announce?info_hash=%bf%16%a7%d6%be%baF%93%03%b6v%b bx%3ey%03%d3%87%89%1f&peer_id=-TR2820-g0iy1gxbpisg&port=51413&uploaded=42932757377&downl oaded=0&left=0&numwant=80&key=2f23719f&compact=1&s upportcrypto=1" referer="" error="" authtime="0" dnstime="1940" cattime="1108" avscantime="13428" fullreqtime="623747" device="0" auth="0" ua="Transmission/2.82" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" application="bittorre" app-id="60" content-type="application/octet-stream"
2015:02:18-00:05:03 sophos httpproxy[5420]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.116" dstip="85.195.119.215" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="203" request="0xe1de2800" url="http://tracker.trackerfix.com/scrape?info_hash=%87-%3cn%c0E_%c3%eaw%af%c6%3d%89%a8%cf%ac%a8%8c%7f&inf o_hash=_%19%f9%87W%94%11J%e4%24%1eI%29%f4T%2a8%8fn R" referer="" error="" authtime="0" dnstime="2480" cattime="88775" avscantime="13830" fullreqtime="814634" device="0" auth="0" ua="Transmission/2.82" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" application="bittorre" app-id="60" content-type="application/octet-stream"
2015:02:18-00:05:04 sophos httpproxy[5420]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.116" dstip="85.195.119.215" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="42" request="0xdeaa3000" url="http://tracker.trackerfix.com/announce?info_hash=%91%b7%24%07x%d2~%16%16%c3%e7n% b60%3a%b9H%8e%f1%7d&peer_id=-TR2820-ilyb2jv8pxku&port=51413&uploaded=251882549&downloa ded=456275520&left=0&numwant=80&key=2f23719f&compa ct=1&supportcrypto=1&corrupt=262144&event=complete d" referer="" error="" authtime="0" dnstime="1874" cattime="1002" avscantime="22862" fullreqtime="505457" device="0" auth="0" ua="Transmission/2.82" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" application="bittorre" app-id="60" content-type="text/plain"
2015:02:18-00:06:49 sophos httpproxy[5420]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.116" dstip="85.195.119.215" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="382" request="0xe0056000" url="http://tracker.trackerfix.com/announce?info_hash=%87-%3cn%c0E_%c3%eaw%af%c6%3d%89%a8%cf%ac%a8%8c%7f&pee r_id=-TR2820-w861vgrrz7k6&port=51413&uploaded=6376454938&downlo aded=0&left=0&numwant=80&key=2f23719f&compact=1&su pportcrypto=1" referer="" error="" authtime="0" dnstime="2259" cattime="120914" avscantime="15049" fullreqtime="707839" device="0" auth="0" ua="Transmission/2.82" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" application="bittorre" app-id="60" content-type="application/octet-stream"
2015:02:18-00:06:49 sophos httpproxy[5420]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.116" dstip="85.195.119.215" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="286" request="0xe0150000" url="http://tracker.trackerfix.com/announce?info_hash=_%19%f9%87W%94%11J%e4%24%1eI%29 %f4T%2a8%8fnR&peer_id=-TR2820-svm0c68cpr63&port=51413&uploaded=7687838989&downlo aded=0&left=0&numwant=80&key=2f23719f&compact=1&su pportcrypto=1" referer="" error="" authtime="0" dnstime="2376" cattime="126098" avscantime="49602" fullreqtime="737976" device="0" auth="0" ua="Transmission/2.82" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" application="bittorre" app-id="60" content-type="application/octet-stream"
---------------------------------------------------------------------------------------------------------------------------

2015:02:18-11:09:29 sophos aua[3394]: id="3006" severity="info" sys="System" sub="auth" name="Child 32063 is running too long. Terminating child"
2015:02:18-11:09:29 sophos aua[20919]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.1.123" host="" user="admin" caller="webadmin" engine="local"
2015:02:18-11:40:27 sophos aua[3394]: id="3006" severity="info" sys="System" sub="auth" name="Child 20919 is running too long. Terminating child"
2015:02:18-11:40:27 sophos aua[23819]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.1.120" host="" user="admin" caller="webadmin" engine="local"
2015:02:18-12:59:15 sophos aua[3394]: id="3006" severity="info" sys="System" sub="auth" name="Child 23819 is running too long. Terminating child"
2015:02:18-12:59:15 sophos aua[15642]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.1.123" host="" user="admin" caller="webadmin" engine="local"
2015:02:18-13:44:56 sophos aua[3394]: id="3006" severity="info" sys="System" sub="auth" name="Child 15642 is running too long. Terminating child"
2015:02:18-13:44:56 sophos aua[8338]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.1.123" host="" user="admin" caller="webadmin" engine="local"
2015:02:18-14:07:24 sophos aua[7413]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.1.120" host="" user="admin" caller="webadmin" engine="local"
2015:02:18-14:33:52 sophos aua[3388]: id="3006" severity="info" sys="System" sub="auth" name="Child 7413 is running too long. Terminating child"<30>Feb 18 14:33:52 aua[16825]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.1.123" host="" user="admin" caller="webadmin" engine="local"
2015:02:18-15:24:16 sophos aua[3388]: id="3006" severity="info" sys="System" sub="auth" name="Child 16825 is runnin
Search

UTM 320 with 9.307-6 : Apple Devices and Webfiltering

February 19, 2015, 6:52 am
$
0
0
Hello, anyone have a guide for setting up the utm with apple devices (IOS 8.1.3)?

I've been to the apple support site, added their servers to my exception lists....and it works....most of the time, but occasionally one of the ipads gets into a situation where it will not update.

Resolve issues between iTunes and security software - Apple Support

I have to manually add it's IP to the transparent mode skiplist to get it to work - so I know it's something with web filtering....

I've gone to the console and grep'd the ip of the device in the http.log file, and there's no errors listed, when it goes wonky, there's no output at all actually....

Now, I just removed the manual skip and installed an app on the same ipad...and it worked fine.....very frustrating!

Any pointers on tracking down an intermittent problem with ios?

Thanks,
Kev

Allow Outbound Traffic

February 19, 2015, 11:40 am
$
0
0
This may be a stupid question, but for some reason I am unable to allow non-web traffic outbound through the UTM (i.e. - FTP and RDP). I've created firewall rules, like I would with any other firewall, to allow outbound traffic over these ports (I even created a rule to allow all outbound traffic and put it at the top as the #1 rule), but I'm unable to connect to servers on the Internet. The firewall log shows that traffic is being allowed, but I can't connect. I'm still testing this UTM, so I just changed my gateway to my old router, and I can connect instantly, so it's definitely the UTM. I can also surf the web (ports 80 and 443), but this is controlled through Web Protection not firewall rules. I also do not use application control, but during my troubleshooting, I enabled application control and created a rule to allow RDP. Still didn't work.

I'm very familiar with firewalls and have configured many of them over the years, so I have already checked the obvious, but I am new to Sophos, so I'm hoping I missed a checkbox somewhere.

Any help on configuring these devices to allow outbound traffic (which should be easy), would be greatly appreciated.

deploy vpn's

February 19, 2015, 12:13 pm
$
0
0
Hello,

I have some trouble with vpn’s deployed with sum 4 .
I just delete an vpn connection. But now I see on one of the gateways not all objects are removed.
And now I’m unable to create a new vpn.
How can i remove the old objects?

Sophos UTM Hardware: Entropy at Startup

February 19, 2015, 1:32 pm
$
0
0
When a brand-new, out-of-the-box Sophos UTM appliance is started up, it generates a variety of "random" keys, certificates, and passwords. I have looked at them, and they differ from the keys on a software UTM that I have running at home. (Yeah, I know that is not saying much.) The keys, etc. appear to be random, but I have not run any tests of randomness on them.

Here is my question, which may not be easily answered by anyone in this forum, unless they are privy to Sophos design internals:

How does Sophos seed each newly minted UTM appliance before they ship it to the end customer? In other words, how does Sophos ensure that each appliance's random numbers are truly random and start out widely separate and independent from all other Sophos UTM appliances?

Has anyone inquired into this aspect of UTM security? It is a big job to replace all the keys, certificates, and self-generated passwords in the UTM. Can we trust the randomness of the initial installation and setup?

WotL: Remote Access VPN to UTM

February 19, 2015, 2:06 pm
$
0
0
My friend has a small office whose users have Windows 7 or 8 computers, other than me. I have a Mac, but I can also run Windows in a virtual machine. The office computers are members of a Windows domain. A few of them are roaming laptops that would like to have VPN access to the office network through their UTM 120.

In case it matters, we also have a RED10 that will be going into a very small remote office, but it is not yet connected.

I am looking for the "Wisdom of the List" regarding the best way to configure remote access for the roving members of this small office team. The Sophos UTM offers so many different Remote Access capabilities: SSL, PPTP, L2TP over IPsec, IPsec, HTML5 VPN Portal, and Cisco VPN Client. PPTP is probably a poor choice for security reasons.

Will you share what you learned regarding the best remote access UTM solution that is secure, easy to deploy, manage, and maintain for a typical small office team? How did you decide? What did you choose? What are your recommendations?

P.S. Which end-user clients did you select and why?

Sophos anti virus tool won't install - says it's already installed

February 19, 2015, 2:58 pm
$
0
0
Hello I don't know where to post this. Sophos' website directs me here and it says they don't have support for free tools by e-mail.

On the Sophos website there is a virus check tool "Sophos Virus Removal Tool.exe". I downloaded it but it won't install on my computer because it says "another version of this product is already installed." It is the correct tool, I have checked the digital signature. I don't have anything on my computer from Sophos so I don't know why it won't install.

I'm using Windows 7 x64. A screenshot of the error message is attached. If you have any ideas please let me know. Thanks

Attached Images
File Type: png Sophos won't install.PNG (13.4 KB)

2 webservers port 80 1 ip

February 19, 2015, 3:35 pm
$
0
0
Hi all,

I have a problem.
I have multiple webservers but only 1 ip.
Is it possible to access the webservers based on url?

webserver-a.domain.com 192.168.2.10 port 80
webserver-b.domain.com 192.168.2.11 port 80
dns configured 2 cnames to ip

is WAF the solution?
or is it not possible.

thx ,

guido
Search

IPsec tunnel - tcp option 76 & 78

February 19, 2015, 3:49 pm
$
0
0
Hi,

I've setup an IPsec tunnel between a SG120 and UTM 425 but now my Riverbed appliance can't optimize traffic.
Traffic outside of the IPsec tunnel is optimized just fine.
:confused:

Doing some research shows Cisco ASA IPsec tunnels need to be configured to permit TCP option 76 and TCP option 78 so the Riverbed appliances in full transparency mode work.
Article here

I suspect this is required for the Sophos UTM IPsec tunnels as well.

How can I check and tell the UTM to allow this?

Thanks

Damien

Licensing and HA issues

February 19, 2015, 4:00 pm
$
0
0
We purchased two SG210's and configured them in cluster mode (active-active).

This worked fine until we went and applied the licenses. I'll skip the ridiculous amount of crap we had to go through in order to actually receive licenses (apparently our licenses, for this new hardware, were "upgrade" instead of "activation" licenses which caused them not to work).

Once I applied the license to the cluster one of the two machines immediately shut down. Whenever I turn it back on it powers up and then powers right back down. The only way I can get both machines to stay on is by unplugging the HA cable- when they're not part of a cluster they stay up without issue. However, after I plug that cable back in the second machine again shuts down.

I haven't been able to get ahold of anyone at Sophos (they apparently ignore customers completely), and the vendor I'm working with has no idea what is causing this (they also had no idea why Sophos sent me upgrade keys). I'm at a loss over what to do next, other than return the boxes and demand a refund for the defective product.

Has anyone encountered this before or have advice on how to resolve it?

function="check_loopback" file="dns.c" line="1022"

February 19, 2015, 5:07 pm
$
0
0
Solved!

it's CPE releated!

DNS were echoing "127.0.0.1 lorelispum.lor" >> /etc/hosts

I need to hire someone to configure my new sg105

February 19, 2015, 9:37 pm
$
0
0
Can anyone advise me on configuring my sg105? I have an Astaro 110, that is currently running, and getting it configured and running was a nightmare. I was told that I could use the configuration auto backup from the 110, to configure the 105. I would be happy to pay someone to configure the 105 remotely.

Alternative Method LCD Display

February 19, 2015, 11:40 pm
$
0
0
Hi all,

I have put together a method for using an LCD screen like a HD44780 based 16x2 or 20x4. I had tried to use LCD4Linux, but couldn't get it working properly, and the more I stuffed around with the system the more problamatic it became.

It goes without saying that the below is NOT supported in any way shape or form and may void any support contracts, however I am using this in an Home UTM environment, so that suits me fine. You do not need to install any 3rd party utilities or programs on the system, only a small bash script and a crontab entry.

The concept:
Instead of a USB connected device, I have gone for a network based LCD running off an Arduino with an ethernet shield. I send a small HTTP request to the arduino, which converts the data into something that can be displayed on an LCD. This gives me a LOT of flexibility in customizing both the data sets and the LCD display itself, as well as possible expansion to multiple screens (not to mention it can be mounted away from the server itself).

I don't claim to be an expert in any of this, but it works, and works well, so I'm open to other ideas for improvement!

What you need:
Sophos UTM Box (Duh)
Arduino with an Ethernet shield (few options out that there but I'm using an Uno with Ethernet Shield)
HD44870 LCD (I'm using a 20x4 via 2IC, and you can actually use any display you want, you just need to change the libraries used with the arduino)

Arduino Configuration:
Nice and easy and I won't go into detail, but plug in the ethernet shield to the arduino, then, if you are using a 2IC model LCD, plug in VCC, GND, and SDA/SCL and that's it.

Aduino Code, which is heavily commented:

Code:
///////////////////////////////////////////////////////////////////////
//                          Include Libaries                        //
///////////////////////////////////////////////////////////////////////
#include <Wire.h>
#include <LiquidCrystal_I2C.h>
#include <Ethernet.h>
#include <SPI.h>

////////////////////////////////////////////////////////////////////////
//                    CONFIGURE ETHERNET SHIELD                      //
////////////////////////////////////////////////////////////////////////


// Set Mac Address (comment out if not needed)
byte mac[] = {
  0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED };

EthernetServer server = EthernetServer(80); //port 80


////////////////////////////////////////////////////////////////////////
//                      Define custom chracters                      //
////////////////////////////////////////////////////////////////////////

#if defined(ARDUINO) && ARDUINO >= 100
#define printByte(args)  write(args);
#else
#define printByte(args)  print(args,BYTE);
#endif


byte DownArrow[8] = {
  B00100,
  B00100,
  B00100,
  B00100,
  B00100,
  B11111,
  B01110,
  B00100
};

byte UpArrow[8] = {
  B00100,
  B01110,
  B11111,
  B00100,
  B00100,
  B00100,
  B00100,
  B00100
};

////////////////////////////////////////////////////////////////////////
//                        Define LCD Display                        //
////////////////////////////////////////////////////////////////////////


LiquidCrystal_I2C lcd(0x27,20,4);  //0x27 is standard address, 20,4 is screen size


////////////////////////////////////////////////////////////////////////
//                        Declare Variables                          //
////////////////////////////////////////////////////////////////////////

char charnew;
String down = "";
long downnum = 0L;
long upnum = 0L;
String up = "";
String uptime = "";
String cpuload = "";
int switcher = 0;
String dlspeed = "";
String upspeed = "";
int firstrun = 1;
float cpupercent = 0;
String uptimeformat = "";
boolean connecteddhcp = 0;
int finished = 0;
boolean reading = false;


////////////////////////////////////////////////////////////////////////
//                            Setup Program                          //
////////////////////////////////////////////////////////////////////////

void setup()
{

  //Uncomment to enabled serial feedback
  //Serial.begin(115200);


  //Initialize the LCD
  lcd.init();

  //Initialize Custom LCD Characters
  lcd.createChar(0, DownArrow);
  lcd.createChar(1, UpArrow);


  // Print a loading message to the LCD.
  lcd.backlight();
  lcd.setCursor(0,0);
  lcd.print("    LCD Display");
  lcd.setCursor(0,1);
  lcd.print("    Sophos UTM");
  lcd.setCursor(0,3);
  lcd.print("Waiting for network");

  //Try to get DHCP IP address and loop until there is one
  connecteddhcp = Ethernet.begin(mac);
  while(connecteddhcp == 0){
    connecteddhcp = Ethernet.begin(mac);
  }

  //Start Ethernet server once IP address is assigned and received
  server.begin();
 
  //Print IP ADdress to LCD screen
  lcd.setCursor(0,3);
  lcd.print("                  ");
  lcd.setCursor(5,3);
  lcd.print(Ethernet.localIP());



}

////////////////////////////////////////////////////////////////////////
//                          Main Program Loop                        //
////////////////////////////////////////////////////////////////////////

void loop()
{

  //Listen for incoming clients, and run main function when received
  checkForClient();

}



////////////////////////////////////////////////////////////////////////
//                            Main Function                          //
////////////////////////////////////////////////////////////////////////

void checkForClient(){

  //Reset Variables for start of function
  reading = false;
  switcher = 0;
  down = "";
  downnum = 0L;
  upnum = 0L;
  cpupercent = 0L;
  uptimeformat = "";
  up = "";
  dlspeed = "";
  upspeed = "";
  cpuload = "";
  uptime = "";

  //Mark server as available
  EthernetClient client = server.available();

  //Check if Client has data for us
  if (client) {

    Serial.println("Data Received and available");
    //Confirm request - an http request ends with a blank line
    boolean currentLineIsBlank = true;
    boolean sentHeader = false;


    //Start read loop
    while (client.connected()) {
      //Debugging Level 1
      Serial.println("Pass Level 1");
      if (client.available()) {
        //Debugging Level 2
        Serial.println("Pass Level 2");

        //Pause for the entire message to arrive
        delay(100);


        if(!sentHeader){
          //Send a standard http response header
          client.println("HTTP/1.1 200 OK");
          client.println("Content-Type: text/html");
          client.println();
          sentHeader = true;
        }

        //Start read in of characters from HTTP Request
        char charnew = client.read();

        if(reading && charnew == ' ') reading = false;
        if(charnew == '?') reading = true; //Found the ?, begin reading the valid info


        if (reading){
          //Debugging level 3
          Serial.println("Pass Level 3");
         
          //Starting main data split, reads in the characters and splits them into strings based on the / found
          if (charnew == '?') {
            //Do nothing - skipping ? character
          }         
          else if (charnew != '/' && switcher == 0 ){
            down = down + charnew;
            switcher = 0;
            Serial.print("Download Speed: ");
            Serial.println(down);
          }
          else if (charnew == '/' && switcher == 0){
            switcher = 1;
            Serial.println("Detected Switch 1");
          }
          else if (charnew != '/' && switcher == 1){
            up = up + charnew;
            Serial.print("Upload Speed: ");
            Serial.println(up);
          }
          else if (charnew == '/' && switcher == 1){
            switcher = 2;
            Serial.println("Detected Switch 2");
          }
          else if (charnew != '/' && switcher == 2){
            cpuload = cpuload + charnew;
            Serial.print("CPULoad: ");
            Serial.println(cpuload);
          }
          else if (charnew == '/' && switcher == 2){
            switcher = 3;
            Serial.println("Detected Switch 3");
            cpuload = cpuload + "  ";
          }
          else if (charnew != '!' && switcher == 3){
            uptime = uptime + charnew;

            Serial.print("Uptime: ");
            Serial.println(uptime);
          }
          else if (charnew == '!' && switcher == 3){
            //Mark as finished, all data received
            finished = 1;
            break;
          }
        }
      }

      //Clean up HTTP Request
      if (charnew == '\n' && currentLineIsBlank)  break;

      if (charnew == '\n') {
        currentLineIsBlank = true;
      }
      else if (charnew != '\r') {
        currentLineIsBlank = false;
      }
    }

    Serial.println("Read in complete");

    //Confirm that data was received and needs to be printed
    if (finished == 1){
     
      //Convert string to intergers and float values
      downnum = down.toInt();
      upnum = up.toInt();
      cpupercent = cpuload.toFloat();
      long seconds = uptime.toInt();

      //Work out uptime
      long s = seconds % 60;
      long m = (seconds / 60) % 60;
      long h = (seconds / (60 * 60)) % 24;
      long d = (seconds / 60 / 60 / 24);

      cpupercent = cpupercent/2;
      cpupercent = cpupercent*100;

      //Format Download Speed
      if (downnum >= 1024) {
        downnum = (downnum/1024);
        dlspeed = " KB/s";
      }
      else {
        dlspeed = " B/s";
      }

      //Format Upload Speed
      if (upnum >= 1024) {
        upnum = (upnum/1024);

        upspeed = " KB/s";

      }
      else {
        upspeed = " B/s";
      }

      //If first time run, load labels
      if (firstrun == 1) {
        lcd.clear();
        lcd.setCursor(0,0);
        lcd.print("WAN");
        lcd.printByte(0);
        lcd.setCursor(0,1);
        lcd.print("LNK");
        lcd.printByte(1);
        lcd.setCursor(0,2);
        lcd.print("CPU Load:");
        lcd.setCursor(0,3);
        lcd.print("Uptime:");
        firstrun = 0;
      }

      //Update LCD Screen with data
      lcd.setCursor(5,0);
      lcd.print("              ");
      lcd.setCursor(5,0);
      lcd.print(downnum);
      lcd.print(dlspeed);
      lcd.setCursor(5,1);
      lcd.print("              ");
      lcd.setCursor(5,1);
      lcd.print(upnum);
      lcd.print(upspeed);
      lcd.setCursor(10,2);
      lcd.print(cpupercent,0);
      lcd.print("%  ");
      lcd.setCursor(8,3);
      lcd.print(d);
      lcd.print("D");
      lcd.print(" ");
      lcd.print(h);
      lcd.print(":");
      lcd.print(m);
      lcd.print(":");
      lcd.print(s);
      lcd.print(" ");
      finished = 0;

    }
   
    //Give the web browser time to receive the data
    delay(1);
    //Close the connection
    client.stop();
    Serial.println("Data Read complete");

  }

}

Sophos configuration:

You will need to update my below code based on the location of your scripts, but it is easy enough to follow. For the purpose of the below, the scripts are simply in /home/login/

create a file called statupdate in the /home/login directory

Open the file and copy/paste the following script, update the IP address with the IP address of the Arduino (I suggest a DHCP reservation (static)).

Code:

#!/bin/bash
IP='10.0.0.185'
while :
do
#echo "Start Loop"
DN=$(S=1; F=/sys/class/net/ppp0/statistics/rx_bytes; X=`cat $F`; sleep $S; Y=`cat $F`; BPS=$
UP=$(S=1; F=/sys/class/net/ppp0/statistics/tx_bytes; X=`cat $F`; sleep $S; Y=`cat $F`; BPS=$
CPU=$(uptime | grep -oh "load average: [0-9].[0-9][0-9]")
CPU=$(echo $CPU | sed -r 's/^.{14}//')
UPTIME=$(cat /proc/uptime)
UPTIME=$(echo $UPTIME | cut -f1 -d" ")
#echo $DN
#echo $UP
#echo $CPU
#echo $UPTIME
#echo curl $IP/?$DN/$UP/$CPU/$UPTIME!
curl $IP/?$DN/$UP/$CPU/$UPTIME! > /tmp/curl.log
sleep 1
#echo "Finished Loop"
done
You can uncomment the Echos for debugging if needed, and change the interface you want to monitor (I'm using ppp)

Save the file and then set the execution permissions:

Code:
sudo chmod u+x /home/login/statupdate
Lastly, you need to add the script to crontab so that it starts on reboot.

Login to your server via SSH and run the following:

Code:
Sudo crontab -e
Hit I for insert when VI loads, then copy/paste (or type) the following:

Code:
@reboot /home/login > /tmp/lcdstat.log
Hit ESC, then type :wq and hit enter.

Hit reboot and you should be done, your LCD should now start updating every 5-6 seconds.


Hopefully someone finds this useful!

[9.308-16] SMS Gateway is back!

February 19, 2015, 11:51 pm
$
0
0
Look what Santa brought back in 9.308-16 :)


Attached Images
File Type: png SMSGW.PNG (18.0 KB)

Benutzerdef. Nachricht bei eingehenden E-Mails

February 19, 2015, 11:58 pm
$
0
0
Hallo zusammen,

ich hab einen Kunden, der nutzt unter anderem auch die UTM als Mailgateway. Hier die Anfrage, ob es möglich ist, auf bestimmte Mailadressen (z.B. anfrage@domain.de) eine Nachricht zurückzuwerfen, die man selber anpassen kann?
Quasi ein benutzerdefinierter NDR für eine bestimmte Mailadresse oder etwas in der Art.

Oder muss man dies über den dahinterstehenden Exchange Server lösen?

Kenne das von anderen Mailgateway-APpliances, aber bei der Sophos UTM bin ich mir nicht sicher, ob das geht.
Search

SUM Up2Daten Files für UTM

February 20, 2015, 1:34 am
$
0
0
Hallo,

ich habe mehrere UTM und SG Systeme im Einsatz, welche keinen Zugang zum Internet haben. Den SUM nutze ich als übergeordnete Instanz für das Monitoring der Systeme.
Ich würde nun gern den SUM als Up2Date Cache für die UTMs nutzen. Wie kann ich dem SUM die Up2Date Files für die UTMs einspielen, ohne dass der SUM direkten Internetzugriff hat? Gibt es ein spezielles Verzeichnis wo die Files abgelegt werden müssen?

Vielen Dank für eure Hilfe.

Gruß Back

Serial Port install mods

February 20, 2015, 2:52 am
$
0
0
Hi all,

I'm trying to modify the latest install Software install image (asg-9.306-6.1.iso) in order to get a fully serial port aware install experience.

To isolinux part is okay, i'm getting all the serial outputs on COM1.

The next step in the install is to load the initramfs file which contains all the needed binaries and such in order to conduct the install properly.
Here is my problem, the /etc/inittab from the ramfs is invoking the installer executable through the use of "openvt" aka "virtual console" aka "virtual terminal".

here is the ramfs inittab file:
Code:
# inittab
# Copyright (c) 2009, 2010 Astaro AG

# default runlevel
id:1:initdefault:

si::sysinit:/etc/init.d/rcS

# virtual consoles
1:1:once:/bin/openvt -c 1 -w -- /bin/bootstrap --install
2:1:respawn:/bin/openvt -c 2 -w -- /bin/bash
4:1:respawn:/bin/openvt -c 4 -w -- /usr/lib/bootstrap/view-log

ca::ctrlaltdel:/etc/init.d/rc.0
Does anyone knows if there are any ways to route these VT to ttyS0 or else if i can migrate these openvt calls to mingetty/mgetty/agetty..

Thanks for any help,
regards,
m.

Authentifizierung übergeordneter Proxy

February 20, 2015, 5:02 am
$
0
0
Guten Tag,

ich habe ein vielleicht etwas außergewöhnliches Problem bei einem unserer Kunden mit eine SG310 mit Version 9.306.

Folgendes Szenario:
Die SG ist als Standard-Proxy konfiguriert und in den Clients eingetragen. Die SG benutzt einen übergeordneten Proxy der (eigentlich) keine Authentifizierung benötigt. Die SG hat also keinen direkten Internetzugriff. Alle anderen Proxys werden nicht vom Kunden betreut. Die anderen Proxys sind alle squid-Proxys u.a. mit folgender konfigurierter Option:

cache_peer ip.von.upstream.proxy parent 8080 7 no-digest no-query login=PASS

Für einige passwortgeschützte Intranetseiten anderer Lokationen wird nun statt eines "401 Unauthorized" ein "407 Proxy Authentication Required" vom übergeordneten Proxy an die SG zurückgegeben. Nun denkt die SG sie müsse sich gegenüber dem übergeordneten Proxy authentifizieren, hat aber keine Anmeldedaten und verwirft das ganze ohne den Anmeldedialog dem Client durchzureichen.

Gibt es eine Möglichkeit diese Anmeldung an den dahinterliegenden Client zu übergeben so das dieser sich anmelden kann?

Mfg Denny

OTP Hardware Token Problem

February 20, 2015, 5:31 am
$
0
0
Hallo,

ich habe OTP für das Handy eingerichtet und das hat alles funktioniert.

Jetzt habe ich Hardware Token bestellt "VASCO Digipass Go6"
Wie kann ich den jetzt einrichten? Von meinem Lieferanten habe ich nur das Token bekommen. Auf dem Token steht hinten eine Seriennummer.

In TOP Einstellungen kann ich aber nur "hexadecimal octet string" eingeben.

Bitte um Hilfe.

Vielen Dank

Gruß Roman

DHCHv6 problem using UTM firewall

February 20, 2015, 6:04 am
$
0
0
Hello,

We (our company) starting testing IPv6 in our internal network. The DHCPv6 service seems to work fine, every client gets an IP address in the specified range.

There is only one problem: two of our HP printers keep requesting a renew even though they already received an IPv6 adres. I'm not sure if it's requesting a new IPv6 adres or other configuration. Using Wireshark I can see the printers request a renew like 50 times a second (both of them).

Source: fe80::9eb6:54ff:fe53:****
Destination: ff02::1:2
Protocol: DHCPv6
Source port: 546 (DHCP client)
Destination port: 547 (DHCP server)
Length: 176
Info: Renew XID: 0x2ae690 CID: 000300019cb65453****
IAA: 2001:1234:5678:1::fd40 > the IP it received from the DHCP server.

DHCPv6 message type: Renew (5)

Option request:
Requested Option code: Status code (13)
Requested Option code: Server unicast (12)
Requested Option code: DNS recursive name server (23)
Requested Option code: Domain Search List (24)
Requested Option code: Fully Qualified Domain Name (39)

I contacted HP, but they didn't really understand the problem and told me either static charge or the switch is the problem :confused:
Viewing all 14361 articles
Browse latest View live
Search