KHIKA App for Sophos Firewall
Contents
How to check the output of KHIKA Sophos Firewall App ?
Sophos Firewall Malicious Communication Dashboard
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard focuses on the malicious communications in the Sophos Firewall(which are added into KHIKA). Details like KHIKA shares community based threat intelligence and detect bad IP's,which bad source ip/Destination ip communication with you etc. is shown in an analytical fashion. You can filter and search information and create new ones too. For help with Dashboards, click here
Elements in the Dashboard are explained below :
Visualization | Description |
Daily Trend | Trend of malicious communication over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Malicious IP wise status bar graph | X axis : all the Malicious IP addresses which communicate with device Y axis : stacked in each bar (Status) status of connection Example allow,deny,accepted etc. and count of events occurred. |
Contribution of User pie chart | Contribution of Users which are communicate with malicious IP. |
Contribution of Status pie chart | Contribution of status of connection.Example allow,deny,accepted etc |
Source IP wise status bar graph | X axis : all the Source IP addresses which initiate the connection Y axis : stacked in each bar (Status) status of connection and count of events occurred. |
Destination IP wise status bar graph | X axis : all the Dectination IP addresses which communicate to malicious IP Y axis : stacked in each bar (Status) status of connection and count of events occurred. |
Summary Table | Detailed data with timestamp and count |
Suggestion for useful interaction with this dashboard could be :
Click on highest communicated malicious ip in the Malicious IP wise status bar chart. This gets selected and a filter for selected malicious IP is applied across the rest of the dashboard. The next two pie shall show then the user which are communicate with this IP and status of connection. and then next two bar shall show source IP and destination IP . Details of selected malicious IP can be seen in the summary table. How to remove this filter is explained here
Sophos Firewall Admin Activities Dashboard
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard.This dashboard focuses on the login activity of admin users in the Sophos Firewall. Details like which user logged in how many times, authentication information, Configuration changes etc. is shown in an analytical fashion. You can filter and search information and create new ones too. For help with Dashboards, click here
Elements in the Dashboard are explained below :
Visualization | Description |
Daily Trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Contribution of Source IP pie chart | Contribution of Source IP Address where admin user logged in. |
User wise status bar chart | X axis : user name Y axis : stacked in each bar (status) the status of login/configuration changed and count of events occurred. |
Summary Table | Detailed data with timestamp and count |
A suggestion for useful interaction with this dashboard could be :
Examine the time trend, for higher number of events. Rest of the dashboard also gets filtered and we can isolate – all the source IP's where admin users are logged in from "Contribution of Source IP" pie chart and Users and status of executed action in next bar chart.Details of all activiteies in selected time range can be seen in the summary table.
Sophos Firewall Login Activities Dashboard
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard focuses on the login activity of all users in the Sophos Firewall. Details like which user logged in how many times, authentication information, etc. is shown in an analytical fashion.
You can filter and search information and create new ones too. For help with Dashboards, click here
Elements in the Dashboard are explained below :
Visualization | Description |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
User name wise status | X axis : user name Y axis : stacked in each bar (status) the status of login/configuration changed and count of events occurred. |
Contribution of status pie chart | successful and failed authentication status |
Contribution of Group Name pie chart | Contribution of user group.every user is belongs to one or many user groups. |
Source IP wise status | X axis : Source IP Y Axis : stacked within each bar (status) the count of successful/failed events for various IP address |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- Click on User Group in the “Contribution of Group Name” pie chart. The rest of the dashboard gets filtered and shows only deatail information about selected "User Group" events. So we can isolate - Users are available in selected User Group and their login status in User name wise status chart.also in "Source IP wise status" chart we can see source IP's where users are logged in.
Sophos Firewall VPN activity Dashboard
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This report summarizes Sophos Firewall VPN activity details. it shows bandwidth utilization , accessed server by VPN users etc.
You can filter and search information and create new ones too. For help with Dashboards, click here
Elements in the Dashboard are explained below :
Visualization | Description |
Time trend | Trend of vpn login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Contribution of VPN Users pie | contribution of the vpn users which are login using VPN |
Contribution of Status | contribution of allow/deny status of VPN connection. |
Source IP wise hits | X axis : Top 10 Source IP where users have logged in using VPN Y axis : Number of hits from Source IP |
Hostname wise User | X axis : Top 10 Destination IP IP where users have logged in using VPN Y axis : Number of hits from Destination IP |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- Click on a particular user in the “Contribution of VPN User” pie. You can monitor all the activities of this vpn user.
- Alternately, Examine the time trend, for highest bandwidth consumption. Rest of the dashboard also gets filtered and we can isolate – all the source IP's where vpn users are logged and Destination IP(VPN user access this server) from bar chart and which Users used more bandwidth and status of connection in pie chart.Details of all VPN connections in selected time range filter can be seen in the summary table.
Linux Alerts
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here Click on “Alert Dashboard” on left menu.
Certain alerts for Sophos Firewall are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :
Alerts Description
Alert Name | Description | Suggested Resolution |
Sophos firewall host scan attack | This is triggered when more than 10 connections happened from same Source and Destination IP using different destination port, within one minute | An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives. |
Sophos firewall sweep scan attack | This alert is triggered when more than 10 connections happened from same source IP to various Destination IP's,within one minute | An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc)on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives. |
Sophos firewall backdoor traffic detected | This alert is triggered when connection happened using vulnerable Destination ports like 3127,3198,6129,7080,within one minute | This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports.
Check is these ports are open and on what servers. Do you really need these ports opened? Check what programs are running on these ports. Check vulnerability reports of the applications Block these ports for external traffic, unless mandatory to keep them opened. If you have to keep any of these ports opened, try to restrict the access to legitimate IPs. If you get a suspicious IP repetitively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc. |
Sophos firewall host scan activity by malicious ip | This is triggered when more than 10 connections happened from same malicious IP using different destination port, within one minute | Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.
It is important to check the reputation of the external ip address and block the same if necessary. |
Sophos firewall successful host scan activity by malicious ip | Alert triggered when more than 10 connections happened from same malicious IP and status is deny followed by a successful login status using different destination port, within one minute | Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports
It is important to check the reputation of the external ip address and block the same if necessary. It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved. |
Sophos firewall successful host scan activity | This alert is triggered when more than 10 connections happened from same Source and Destination IP and status is deny followed by successful login status using different destination port, within one minute | Attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports
It is important to check the reputation of the suspected ip address. If the suspected ip address is external, you may consider blocking it. If the suspected ip address is internal, you may need to verify the sanity of the corresponding device. It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved. This may be a false positive. |
Sophos firewall communication with possible IOC or bad IP | This alert is triggered when suspicious IP is communication with internal IP | KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses. Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication. It is critical to block this rogue communication. |
Sophos firewall large data sent outside | Alert triggered when large data is send to the external IP Address. | Large amount of data being sent to an external network could be an indication of data exfiltration.
Check with the user or process which is responsible for the data being sent out and whether it was done for legitimate business reasons. This could be a false positive. |
Sophos firewall sweep scan attack by malicious ip | This alert is triggered when more than 10 connections happened from same malicious IP using different Destination IP's, within one minute | Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.
It is important to check the reputation of the external ip address and block the same if necessary. |
Sophos firewall successful sweep scan activity | This alert is triggered when more than 10 connections happened from same Source and Destination IP and status is deny followed by successful login status using different Destination IP, within one minute | Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses.
It is important to check the reputation of the suspected ip address. If the suspected ip address is external, you may consider blocking it. If the suspected ip address is internal, you may need to verify the sanity of the corresponding device. It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.\nThis may be a false positive. |
Sophos firewall successful sweep scan activity by malicious ip | Alert triggered when more than 10 connections happened from same malicious IP and status is deny followed by a successful login status using different Destination IP, within one minute | Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.
It is important to check the reputation of the external ip address and block the same if necessary. It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved. |