Sophos

Review configuration options for Sophos firewalls in RocketCyber

Advanced threat detection

Sophos' heuristic for predicting what traffic should be blocked. As a result these events often have relatively low noise and should not be disabled.

Reputation lookup on connecting IPs

This will monitor traffic and inform you only of unexpected traffic or traffic coming from unusual locations (e.g. countries on the Enabled Countries list).

Internal compromise check

Checks for internal addresses that are acting in a malicious manner (e.g. acting like a spambot).

Like most high confidence/low confidence event pairs, the low confidence detections introduce a large amount of noise and are not helpful in most situations

Antivirus

Firewall AV is the first chance to catch a virus entering your network. It is important to stay informed of this attack vector

Probably Unwanted Applications

This detects applications that are not often used in a business setting, or are harmful for productivity.

Because there is some variation in workplace norms and expectations, if you find you are getting many hits from applications that are permitted in your workplace, it is fine to disable this event type

IDS/IPS detections

Finds a variety of dangerous traffic such as known viruses

The low confidence detections are often incorrect and introduce too much noise to be useful in most situations. If you have a full-time security department to go through the results, enabling low-confidence detections may be worthwhile

VPN activity

This will detect any attempt to use VPN functionality, so only enable this if VPN is disabled in your network and there should not be any VPN usage on your network.

Log Format

The expected format for Sophos logs is space-separated.  For example

<134>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="ROCY02" device_id=S4777776149EE49 log_id=041114477777 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 
user_name="" av_policy_name="rule 8" from_email_address="test@postman.local" to_email_address="test@Postman.local" email_subject="RPD Spam test: Bulk" mailid="<c63b1eb2-1c17-7777-fcc3- 20e8831dc3d3@postman.local>" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.17.127 src_country_code=R1 dst_ip=10.198.77.7 dst_country_code=R1 protocol="TCP" src_port=58777 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam"