Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23
  1. #11
    Untangler
    Join Date
    Oct 2013
    Posts
    37

    Default

    Quote Originally Posted by Sam Graf View Post
    Without being able to look at specific signatures and tinker, it's my recollection that the preferred method is to copy/clone the signature and edit the copy/clone. I'd be glad to give that a try and see what happens to the original signature (that is, which signature takes effect) if you can give me an SID.
    Sure, the SID appears to be 2016149. There might be a couple more, but let's start with that.
    Last edited by BarryDingle; 03-04-2020 at 07:22 AM.

  2. #12
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,029

    Default

    Quote Originally Posted by BarryDingle View Post
    Sure, the SID appears to be 2016149.
    Before I go any further, that SID is, by default, Log, not Block, in v14 (don't have v15 yet).

    SID.png

    So perhaps someone already cloned this signature and edited it?

  3. #13
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,817

    Default

    v15 defaults to only enabling low, medium, and high memory rules. In this state signature 2016149 is log only.

    Default low and Medium Priority rules also do not set anything to block.

    High Priority doesn't cause the signature in question (2016149) to set to block, but Critical Priority does.

    So if you want this stuff to work, disable both Critical and High Priority rule sets so that the module isn't blocking anything, then make copies of those rules so you can make adjustments to the new rules to prevent the signatures from being selected to block that are causing the problem.

    Or... you use the bypass rules tab at the top to bypass the machines in question...
    Or... you make platform bypass rules for Unifi ports going into / out of the controller...

    Here's the part that's odd for me... My Unifi Controller works fine, I can access it from the cloud account inside or outside my Untangle. But, if I turn on Critical Priority, I can STILL access my unifi controller but I can't get into my client's controllers... but only from my phone. My Firefox on my desktop works fine. It's IDS... it's not exact... and it doesn't block anything by default for a reason.
    Last edited by sky-knight; 03-04-2020 at 08:11 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #14
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,029

    Default

    Quote Originally Posted by sky-knight View Post
    ...but Critical Priority does.
    My bad. It's the same for v14 (I didn't actually expect there to be a difference, but...).

  5. #15
    Untangler
    Join Date
    Oct 2013
    Posts
    37

    Default

    Quote Originally Posted by sky-knight View Post
    v15 defaults to only enabling low, medium, and high memory rules. In this state signature 2016149 is log only.

    Default low and Medium Priority rules also do not set anything to block.

    High Priority doesn't cause the signature in question (2016149) to set to block, but Critical Priority does.

    So if you want this stuff to work, disable both Critical and High Priority rule sets so that the module isn't blocking anything, then make copies of those rules so you can make adjustments to the new rules to prevent the signatures from being selected to block that are causing the problem.

    Or... you use the bypass rules tab at the top to bypass the machines in question...
    Or... you make platform bypass rules for Unifi ports going into / out of the controller...

    Here's the part that's odd for me... My Unifi Controller works fine, I can access it from the cloud account inside or outside my Untangle. But, if I turn on Critical Priority, I can STILL access my unifi controller but I can't get into my client's controllers... but only from my phone. My Firefox on my desktop works fine. It's IDS... it's not exact... and it doesn't block anything by default for a reason.
    Yeah - I've got both critical and high priority rules enabled. It would still be nice to be able to individually adjust signatures... but either way, I think my colleague and I have got it working by creating a bypass rule in Intrusion Prevention for Source Address (the endpoint LAN IP you're using to access the UniFi Controller) and Destination Port 3478.
    Last edited by BarryDingle; 03-04-2020 at 08:42 AM.

  6. #16
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,817

    Default

    So digging into this further, presuming my issues are the same as the OPs... the sessions being blocked from my cell phone are flagging the same signature 2016149, and always terminating on port 3478 to somewhere in Amazon AWS on this IP block 54.240.0.0/16. So I created a bypass rule in Intrusion Prevention with those two flags.

    Destination address: 54.240.0.0/16
    Destination port: 3478

    So I made an identical system bypass rule.. no effect... then I screwed by brain in, AWS isn't on 54.240.0.0/16, it's on 54.240.0.0/12! Check the locks and sure enough, it's puking on an IP that's outside of the /16 I bypassed... Don't you hate it when computers do exactly what you tell them to?

    So I removed the system bypass rule and updated the bypass rule in the IDS module with the wider range... my phone STILL cannot connect. Then I tried a system bypass rule with the same structure...

    Like Stonecat before me, then discovered this simply doesn't work. The bypassed traffic is very much not bypassed. Tried an identical system bypass rule, and also no effect. 2016149 is still triggering despite Untangle being told in two different places to bypass all traffic terminating on the above IP block as well as the above destination port.

    All of this screams bug... but as reported here it's not a situation unique to v15, this was happening on v14.2 as well. The IDS module doesn't seem to play by the same rules as other rack applications, and cannot bypass traffic correctly.

    Disabling the Critical Priority Rule cures the condition, by simply not blocking the traffic anymore.

    So, I made a copy of the Critical Priority Rule, edited it to have a second flag, Signature Identifier: != 2016149, which neatly disables the signature in question. But while this works, it doesn't really solve the problem because it disables that signature for all traffic, not just traffic bound for AWS on the above destination port.

    What's funny? Unifi's own IDS flags this too! And in the exact same way!

    https://community.ui.com/questions/A...a-486ae33e7d58

    Considering how important STUN is, I'm thinking disabling the signature is probably for the best. This thing might play with VoIP phones too!

    Anyway, don't play with IDS rules unless you're ready to spend time and burn brain cells, the module isn't for the feint of heart. If you want to use it to keep an eye on things fine, but leave High and Critical Priority DISABLED, blocking in here contains dragons!
    Last edited by sky-knight; 03-04-2020 at 08:48 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #17
    Untangler
    Join Date
    Oct 2013
    Posts
    37

    Default

    I have confirmed that my rule recommendation does work. Set a bypass rule for Source Address (your internal IP) and Destination port 3478, and it should work OK.
    Last edited by BarryDingle; 03-04-2020 at 08:57 AM.

  8. #18
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,817

    Default

    Quote Originally Posted by BarryDingle View Post
    I have confirmed that my rule recommendation does work. Set a bypass rule for Source Address (your internal IP) and Destination port 3478, and it should work OK.
    That's another option, but I don't know what IP address my phone is going to carry. I have Untangles all over the place, and I don't really want to have IP reservations for my phone on every network so I can match on interior address.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #19
    Untanglit
    Join Date
    Oct 2019
    Posts
    18

    Default

    I am using this and it seems fine. I can connect to Unifi portal without problem.

    IPS.PNG

  10. #20
    Untangler
    Join Date
    Oct 2013
    Posts
    37

    Default

    Quote Originally Posted by kisch View Post
    I am using this and it seems fine. I can connect to Unifi portal without problem.

    IPS.PNG
    Looks like it works. Just have to make sure you have them above your critical and high priority categories in the list.
    Last edited by BarryDingle; 03-04-2020 at 09:31 AM.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2