topic Re: IPS Exception question in Firewall and Security Management

IPS Exception question

Jan_de_Gier — Sun, 11 Mar 2018 22:21:26 GMT

Hi Checkmates,

I recently enabled IPS in detect mode to make sure that I have all false positives removed before enabling in prevent mode.

One of the false positives is coming from a monitoring system, that I want to create an exception for.

The monitoring system detects "Brute force scanning of CIFS ports".

I tried to create a global exception for this:

Protected scope: Monitoring system IP address

Source: Monitoring system IP address

Destination: Any

Protection: "Brute Force scanning of CIFS ports"

Services" microsoft-ds (tcp/445)

Action: inactive

Track: log

I am wondering what is wrong with this global exception as I still see this protection being detected in the log files.

Any help is really appreciated.

Re: IPS Exception question

PhoneBoy — Sun, 11 Mar 2018 23:33:13 GMT

Few questions:

Based on the rule you're creating, it sounds like R80.10 Management. What version on the gateway in question?
Did you push policy after making this change? (If R80.10+ Gateway, push Threat Prevention policy, for R77.30 and earlier, Access policy)
Just to clarify, are you seeing "Prevent" logs or just "Detect" logs after making changes?

Re: IPS Exception question

Jan_de_Gier — Sun, 11 Mar 2018 23:53:36 GMT

Hi Dameon,

Thanks for the quick reply.

Both Mgmt and gateway are R80.10. Policy was installed after the exception was created.

IPS Blade is completely in detect mode at the moment. No protections are prevented.

So I created a new Profile enabling IPS and AntiBot, with everything set to detect.

Even with the exception it is showing in the logs as detect:

Thanks,

Jan

Re: IPS Exception question

PhoneBoy — Mon, 12 Mar 2018 00:20:46 GMT

Protected Scope refers to that which an "attack" is directed.

Since you're wanting to create an exception just for packets from your monitoring system IP, I would set the Protected Scope to "any."

Re: IPS Exception question

Jan_de_Gier — Mon, 12 Mar 2018 01:41:25 GMT

Ah. That might be where I am wrong.

Thanks. I'll try that and see how that goes.

Re: IPS Exception question

G_W_Albrecht — Thu, 15 Mar 2018 11:52:46 GMT

And does it work now as expected ?

Re: IPS Exception question

Jan_de_Gier — Thu, 15 Mar 2018 22:08:56 GMT

Günther W. Albrecht wrote:
And does it work now as expected ?

Sorry, I was a bit distracted from this.

Unfortunately not. I read this in an older document:

Adding Network Exceptions

You can configure exceptions for a protection with the Prevent action, so that it does not identify the specified traffic. These are some situations where it is helpful to use exceptions:

Maybe exceptions don't work when the protection is set to "Detect"?

Does anybody know?

Re: IPS Exception question

Jan_de_Gier — Thu, 15 Mar 2018 22:15:56 GMT

More on this. When I look at the logging it recognizes that the log is coming from an exception rule.

When I am in the details of the log and Click on the RuleID, it goes straight to the Exception rule and also when I try to create an exception out of the log details -> Add exception I get the error: "can't add exception rule for log generated from exception rule"

So maybe I have to wait and see what happens if I put IPS in prevent mode and keep an eye on this specific protection. I was hoping to get all/most false positives removed before putting IPS in Prevent mode.

Re: IPS Exception question

PhoneBoy — Thu, 15 Mar 2018 22:17:27 GMT

Are you using the global "all protections set to detect" option or are you using a profile where the action for all signatures is set to detect?

Re: IPS Exception question

Jan_de_Gier — Thu, 15 Mar 2018 22:35:35 GMT

IPS activation mode on the cluster is set to "Detect Only". Besides that all protections are also set to "Detect".

Company doesn't allow me to take any risks with broken communication

Re: IPS Exception question

G_W_Albrecht — Wed, 21 Mar 2018 12:59:22 GMT

Fact is that IPS protections set to detect will need much more ressources - as IPS will not stop after detect but also try to match any other IPS protection left. Set to protect, IPS will just act on the packet and do no more matching. To sum it up, detect is a good mode after deploying to get an overview but makes no sense in production.

Re: IPS Exception question

Jan_de_Gier — Wed, 21 Mar 2018 21:44:45 GMT

Thanks Gunther,

Protections will be set to Prevent eventually, we just deployed it and I want to make sure that no production is interrupted when set to detect, so I want to get all (if possible) false positives identified before I go to prevent.

Thanks for all the help. I think I have a reasonable idea how to attack this.

Jan

Re: IPS Exception question

PhoneBoy — Fri, 23 Mar 2018 13:24:54 GMT

See if you can do the following:

It won't prevent the "detection" but it will suppress the logging.

Re: IPS Exception question

Jan_de_Gier — Mon, 26 Mar 2018 02:41:19 GMT

Thanks Dameon,

That might do it. I now have created a custom query: blade:(Anti-Bot OR IPS) NOT "Brute Force Scanning of CIFS Ports" that does basically the same, however if needed I still have the logs for other servers that may be involved in an attack.

If I ignore logs for this signature complete, than I lose the logs that I might need for forensics.

Jan