Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jan_de_Gier
Participant

IPS Exception question

Hi Checkmates,

I recently enabled IPS in detect mode to make sure that I have all false positives removed before enabling in prevent mode.

One of the false positives is coming from a monitoring system, that I want to create an exception for.

The monitoring system detects "Brute force scanning of CIFS ports".

I tried to create a global exception for this:

Protected scope: Monitoring system IP address

Source: Monitoring system IP address

Destination: Any

Protection: "Brute Force scanning of CIFS ports"

Services" microsoft-ds (tcp/445)

Action: inactive

Track: log

I am wondering what is wrong with this global exception as I still see this protection being detected in the log files.

Any help is really appreciated.

0 Kudos
13 Replies
PhoneBoy
Admin
Admin

Few questions:

  • Based on the rule you're creating, it sounds like R80.10 Management. What version on the gateway in question?
  • Did you push policy after making this change? (If R80.10+ Gateway, push Threat Prevention policy, for R77.30 and earlier, Access policy)
  • Just to clarify, are you seeing "Prevent" logs or just "Detect" logs after making changes?
0 Kudos
Jan_de_Gier
Participant

Hi Dameon,

Thanks for the quick reply. 

Both Mgmt and gateway are R80.10.  Policy was installed after the exception was created.

IPS Blade is completely in detect mode at the moment. No protections are prevented.

So I created a new Profile enabling IPS and AntiBot, with everything set to detect.

Even with the exception it is showing in the logs as detect:

Log entryThreat prevention policyGlobal exception

Thanks,

Jan

0 Kudos
PhoneBoy
Admin
Admin

Protected Scope refers to that which an "attack" is directed.

Since you're wanting to create an exception just for packets from your monitoring system IP, I would set the Protected Scope to "any."

Jan_de_Gier
Participant

Ah. That might be where I am wrong.

Thanks. I'll try that and see how that goes.

0 Kudos
G_W_Albrecht
Legend
Legend

And does it work now as expected ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
Jan_de_Gier
Participant

Günther W. Albrecht wrote:

And does it work now as expected ?

Sorry, I was a bit distracted from this.

Unfortunately not. I read this in an older document:

Adding Network Exceptions

You can configure exceptions for a protection with the Prevent action, so that it does not identify the specified traffic. These are some situations where it is helpful to use exceptions:

Maybe exceptions don't work when the protection is set to "Detect"?

Does anybody know?

0 Kudos
Jan_de_Gier
Participant

More on this. When I look at the logging it recognizes that the log is coming from an exception rule.

When I am in the details of the log and Click on the RuleID, it goes straight to the Exception rule and also when I try to create an exception out of the log details -> Add exception I get the error: "can't add exception rule for log generated from exception rule"

So maybe I have to wait and see what happens if I put IPS in prevent mode and keep an eye on this specific protection. I was hoping to get all/most false positives removed before putting IPS in Prevent mode. 

0 Kudos
PhoneBoy
Admin
Admin

Are you using the global "all protections set to detect" option or are you using a profile where the action for all signatures is set to detect?

0 Kudos
Jan_de_Gier
Participant

IPS activation mode on the cluster is set to "Detect Only". Besides that all protections are also set to "Detect".

Company doesn't allow me to take any risks with broken communication Smiley Happy

0 Kudos
G_W_Albrecht
Legend
Legend

Fact is that IPS protections set to detect will need much more ressources - as IPS will not stop after detect but also try to match any other IPS protection left. Set to protect, IPS will just act on the packet and do no more matching. To sum it up, detect is a good mode after deploying to get an overview but makes no sense in production.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Jan_de_Gier
Participant

Thanks Gunther,

Protections will be set to Prevent eventually, we just deployed it and I want to make sure that no production is interrupted when set to detect, so I want to get all (if possible) false positives identified before I go to prevent.

Thanks for all the help. I think I have a reasonable idea how to attack this.

Jan

0 Kudos
PhoneBoy
Admin
Admin

See if you can do the following:

It won't prevent the "detection" but it will suppress the logging. Smiley Happy

0 Kudos
Jan_de_Gier
Participant

Thanks Dameon,

That might do it. I now have created a custom query: blade:(Anti-Bot OR IPS) NOT "Brute Force Scanning of CIFS Ports" that does basically the same, however if needed I still have the logs for other servers that may be involved in an attack.

If I ignore logs for this signature complete, than I lose the logs that I might need for forensics.

Jan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events