Configuration options for Sophos
Review configuration options for Sophos firewalls in RocketCyber
Advanced threat detection |
Sophos' heuristic for predicting what traffic should be blocked. As a result these events often have relatively low noise and should not be disabled. |
Reputation lookup on connecting IPs |
This will monitor traffic and inform you only of unexpected traffic or traffic coming from unusual locations (e.g. countries on the Enabled Countries list). |
Internal compromise check |
Checks for internal addresses that are acting in a malicious manner (e.g. acting like a spambot). Like most high confidence/low confidence event pairs, the low confidence detections introduce a large amount of noise and are not helpful in most situations |
Antivirus |
Firewall AV is the first chance to catch a virus entering your network. It is important to stay informed of this attack vector |
Probably Unwanted Applications |
This detects applications that are not often used in a business setting, or are harmful for productivity. Because there is some variation in workplace norms and expectations, if you find you are getting many hits from applications that are permitted in your workplace, it is fine to disable this event type |
IDS/IPS detections |
Finds a variety of dangerous traffic such as known viruses The low confidence detections are often incorrect and introduce too much noise to be useful in most situations. If you have a full-time security department to go through the results, enabling low-confidence detections may be worthwhile |
VPN activity |
This will detect any attempt to use VPN functionality, so only enable this if VPN is disabled in your network and there should not be any VPN usage on your network. |
Log Format
The expected format for Sophos logs is space-separated. For example
EXAMPLE <134>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="ROCY02" device_id=S4777776149EE49 log_id=041114477777 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0
user_name="" av_policy_name="rule 8" from_email_address="test@postman.local" to_email_address="test@Postman.local" email_subject="RPD Spam test: Bulk" mailid="<c63b1eb2-1c17-7777-fcc3- 20e8831dc3d3@postman.local>" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.17.127 src_country_code=R1 dst_ip=10.198.77.7 dst_country_code=R1 protocol="TCP" src_port=58777 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam"