Need a feedback about Kerio Control rule that's blocking the web, domen, even application

Can any one explain why I am getting this log when trying use zoom? All options are not working when I want to switch off this rule. Any idea?
[27/Apr/2023 23:57:28] IPS: Packet drop, severity: Blacklist, Rule ID: 1:2400016 ET DROP Spamhaus DROP Listed Traffic Inbound group 17, proto:TCP, ip/port:192…IP:62998 → 170.114.52.2:443

Hello @RasmusMAG!

These rules are created from Spamhaus “DROP” list information. ET simply takes the list, provides the list in a snort/suricata format for use by the community within IDS solutions.

The details and the actual list of network ranges can be found here: DROP - Don't Route or Peer lists - The Spamhaus Project

Based on your feedback, tt would appear that at one point, the IP address in question was contained within an network which was including in the Spamhaus list.

I do not currently see an IP network range matching the IP address in question (170.114.52[.]2) in either the spamhaus list or the ET ruleset (https://rules.emergingthreats.net/open/suricata-5.0/rules/drop.rules)

It looks like it might be worth at the very least, updating the ET ruleset to ensure you have the latest revision of the rules.

As far as how to disable the rule, this is a function of the ruleset manager you are using. Are you able to share which ruleset manager you are using? I might be able to point you to the correct documentation on disabling rules within whichever manager you are using.

1 Like

Hello
Actually I am not such a expert but Administrating Kerio Control server in small office.
When I am using ethernet with this server where installed KC 9.3.6 ver. nobody cannot open the web of zoom.us or use their application. cuz like it is blocking the source. Without server anything is OK.
So, I search and found that its possible the Kerio blocking some sites then if need we can add to whitelist by checking logs. Found this log:
[27/Apr/2023 23:57:28] IPS: Packet drop, severity: Blacklist, Rule ID: 1:2400016 ET DROP Spamhaus DROP Listed Traffic Inbound group 17, proto:TCP, ip/port:192…IP:62998 → 170.114.52.2:443
I put this ID for whitelist it’s some how working to open only zoom.us but other links for entering to zoom conf. rooms or connection in app is not working.
That’s rule “Spamhaus DROP Listed Networks” in the “Intrusion Prevention” option of the Kerio.
I am using trial version of Kerio and I don’t sure is that from it, like if use licensed one than all rule lists and other configuration will work correctly.

I think your best option is going to be contacting Kerio Control for directions on how to resolve this specific issue.

There are two things that come to my mind:

  1. Ensure that rules are getting updated often
  2. Determine how to remove an “block” once the IPS has activated on an IP address.

I mention Item 2 because in some cases solutions will put in IP Table entries when an alert is detected. That entry could still be blocking traffic even after the IPS signature has been placed within an “ignore” list.

I’m not sure how Kerio Control has implemented the IPS solution, or what options there are within the product to remedy the situation. As such, I believe contacting Kerio is your best option to move forward.