Protected Scope refers to that which an "attack" is directed.

Since you're wanting to create an exception just for packets from your monitoring system IP, I would set the Protected Scope to "any."

Ah. That might be where I am wrong.

Thanks. I'll try that and see how that goes.

And does it work now as expected ?

Günther W. Albrecht wrote:

And does it work now as expected ?

Sorry, I was a bit distracted from this.

Unfortunately not. I read this in an older document:

Adding Network Exceptions

You can configure exceptions for a protection with the Prevent action, so that it does not identify the specified traffic. These are some situations where it is helpful to use exceptions:

Maybe exceptions don't work when the protection is set to "Detect"?

Does anybody know?

More on this. When I look at the logging it recognizes that the log is coming from an exception rule.

When I am in the details of the log and Click on the RuleID, it goes straight to the Exception rule and also when I try to create an exception out of the log details -> Add exception I get the error: "can't add exception rule for log generated from exception rule"

So maybe I have to wait and see what happens if I put IPS in prevent mode and keep an eye on this specific protection. I was hoping to get all/most false positives removed before putting IPS in Prevent mode. 

Are you using the global "all protections set to detect" option or are you using a profile where the action for all signatures is set to detect?

IPS activation mode on the cluster is set to "Detect Only". Besides that all protections are also set to "Detect".

Company doesn't allow me to take any risks with broken communication

Fact is that IPS protections set to detect will need much more ressources - as IPS will not stop after detect but also try to match any other IPS protection left. Set to protect, IPS will just act on the packet and do no more matching. To sum it up, detect is a good mode after deploying to get an overview but makes no sense in production.

Thanks Gunther,

Protections will be set to Prevent eventually, we just deployed it and I want to make sure that no production is interrupted when set to detect, so I want to get all (if possible) false positives identified before I go to prevent.

Thanks for all the help. I think I have a reasonable idea how to attack this.

Jan

Thanks Dameon,

That might do it. I now have created a custom query: blade:(Anti-Bot OR IPS) NOT "Brute Force Scanning of CIFS Ports" that does basically the same, however if needed I still have the logs for other servers that may be involved in an attack.

If I ignore logs for this signature complete, than I lose the logs that I might need for forensics.

Jan