Re: IPS Exception question

Jan_de_Gier · ‎2018-03-11

Hi Checkmates,

I recently enabled IPS in detect mode to make sure that I have all false positives removed before enabling in prevent mode.

One of the false positives is coming from a monitoring system, that I want to create an exception for.

The monitoring system detects "Brute force scanning of CIFS ports".

I tried to create a global exception for this:

Protected scope: Monitoring system IP address

Source: Monitoring system IP address

Destination: Any

Protection: "Brute Force scanning of CIFS ports"

Services" microsoft-ds (tcp/445)

Action: inactive

Track: log

I am wondering what is wrong with this global exception as I still see this protection being detected in the log files.

Any help is really appreciated.

PhoneBoy · ‎2018-03-11

Few questions:

Based on the rule you're creating, it sounds like R80.10 Management. What version on the gateway in question?
Did you push policy after making this change? (If R80.10+ Gateway, push Threat Prevention policy, for R77.30 and earlier, Access policy)
Just to clarify, are you seeing "Prevent" logs or just "Detect" logs after making changes?

Jan_de_Gier · ‎2018-03-11

Hi Dameon,

Thanks for the quick reply.

Both Mgmt and gateway are R80.10. Policy was installed after the exception was created.

IPS Blade is completely in detect mode at the moment. No protections are prevented.

So I created a new Profile enabling IPS and AntiBot, with everything set to detect.

Even with the exception it is showing in the logs as detect:

Thanks,

Jan

PhoneBoy · ‎2018-03-11

Protected Scope refers to that which an "attack" is directed.

Since you're wanting to create an exception just for packets from your monitoring system IP, I would set the Protected Scope to "any."

Jan_de_Gier · ‎2018-03-11

Ah. That might be where I am wrong.

Thanks. I'll try that and see how that goes.

G_W_Albrecht · ‎2018-03-15

And does it work now as expected ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Jan_de_Gier · ‎2018-03-15

Günther W. Albrecht wrote:
And does it work now as expected ?

Sorry, I was a bit distracted from this.

Unfortunately not. I read this in an older document:

Adding Network Exceptions

You can configure exceptions for a protection with the Prevent action, so that it does not identify the specified traffic. These are some situations where it is helpful to use exceptions:

Maybe exceptions don't work when the protection is set to "Detect"?

Does anybody know?

Jan_de_Gier · ‎2018-03-15

More on this. When I look at the logging it recognizes that the log is coming from an exception rule.

When I am in the details of the log and Click on the RuleID, it goes straight to the Exception rule and also when I try to create an exception out of the log details -> Add exception I get the error: "can't add exception rule for log generated from exception rule"

So maybe I have to wait and see what happens if I put IPS in prevent mode and keep an eye on this specific protection. I was hoping to get all/most false positives removed before putting IPS in Prevent mode.

PhoneBoy · ‎2018-03-15

Are you using the global "all protections set to detect" option or are you using a profile where the action for all signatures is set to detect?

Jan_de_Gier · ‎2018-03-15

IPS activation mode on the cluster is set to "Detect Only". Besides that all protections are also set to "Detect".

Company doesn't allow me to take any risks with broken communication

G_W_Albrecht · ‎2018-03-21

Fact is that IPS protections set to detect will need much more ressources - as IPS will not stop after detect but also try to match any other IPS protection left. Set to protect, IPS will just act on the packet and do no more matching. To sum it up, detect is a good mode after deploying to get an overview but makes no sense in production.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Jan_de_Gier · ‎2018-03-21

Thanks Gunther,

Protections will be set to Prevent eventually, we just deployed it and I want to make sure that no production is interrupted when set to detect, so I want to get all (if possible) false positives identified before I go to prevent.

Thanks for all the help. I think I have a reasonable idea how to attack this.

Jan

PhoneBoy · ‎2018-03-23

See if you can do the following:

It won't prevent the "detection" but it will suppress the logging.

Jan_de_Gier · ‎2018-03-25

Thanks Dameon,

That might do it. I now have created a custom query: blade:(Anti-Bot OR IPS) NOT "Brute Force Scanning of CIFS Ports" that does basically the same, however if needed I still have the logs for other servers that may be involved in an attack.

If I ignore logs for this signature complete, than I lose the logs that I might need for forensics.

Jan

Are you a member of CheckMates?

IPS Exception question

Adding Network Exceptions