- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: IPS Exception question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPS Exception question
Hi Checkmates,
I recently enabled IPS in detect mode to make sure that I have all false positives removed before enabling in prevent mode.
One of the false positives is coming from a monitoring system, that I want to create an exception for.
The monitoring system detects "Brute force scanning of CIFS ports".
I tried to create a global exception for this:
Protected scope: Monitoring system IP address
Source: Monitoring system IP address
Destination: Any
Protection: "Brute Force scanning of CIFS ports"
Services" microsoft-ds (tcp/445)
Action: inactive
Track: log
I am wondering what is wrong with this global exception as I still see this protection being detected in the log files.
Any help is really appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Few questions:
- Based on the rule you're creating, it sounds like R80.10 Management. What version on the gateway in question?
- Did you push policy after making this change? (If R80.10+ Gateway, push Threat Prevention policy, for R77.30 and earlier, Access policy)
- Just to clarify, are you seeing "Prevent" logs or just "Detect" logs after making changes?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dameon,
Thanks for the quick reply.
Both Mgmt and gateway are R80.10. Policy was installed after the exception was created.
IPS Blade is completely in detect mode at the moment. No protections are prevented.
So I created a new Profile enabling IPS and AntiBot, with everything set to detect.
Even with the exception it is showing in the logs as detect:
Thanks,
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Protected Scope refers to that which an "attack" is directed.
Since you're wanting to create an exception just for packets from your monitoring system IP, I would set the Protected Scope to "any."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah. That might be where I am wrong.
Thanks. I'll try that and see how that goes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And does it work now as expected ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Günther W. Albrecht wrote:
And does it work now as expected ?
Sorry, I was a bit distracted from this.
Unfortunately not. I read this in an older document:
Adding Network Exceptions
You can configure exceptions for a protection with the Prevent action, so that it does not identify the specified traffic. These are some situations where it is helpful to use exceptions:
Maybe exceptions don't work when the protection is set to "Detect"?
Does anybody know?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More on this. When I look at the logging it recognizes that the log is coming from an exception rule.
When I am in the details of the log and Click on the RuleID, it goes straight to the Exception rule and also when I try to create an exception out of the log details -> Add exception I get the error: "can't add exception rule for log generated from exception rule"
So maybe I have to wait and see what happens if I put IPS in prevent mode and keep an eye on this specific protection. I was hoping to get all/most false positives removed before putting IPS in Prevent mode.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using the global "all protections set to detect" option or are you using a profile where the action for all signatures is set to detect?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPS activation mode on the cluster is set to "Detect Only". Besides that all protections are also set to "Detect".
Company doesn't allow me to take any risks with broken communication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fact is that IPS protections set to detect will need much more ressources - as IPS will not stop after detect but also try to match any other IPS protection left. Set to protect, IPS will just act on the packet and do no more matching. To sum it up, detect is a good mode after deploying to get an overview but makes no sense in production.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Gunther,
Protections will be set to Prevent eventually, we just deployed it and I want to make sure that no production is interrupted when set to detect, so I want to get all (if possible) false positives identified before I go to prevent.
Thanks for all the help. I think I have a reasonable idea how to attack this.
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if you can do the following:
It won't prevent the "detection" but it will suppress the logging.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Dameon,
That might do it. I now have created a custom query: blade:(Anti-Bot OR IPS) NOT "Brute Force Scanning of CIFS Ports" that does basically the same, however if needed I still have the logs for other servers that may be involved in an attack.
If I ignore logs for this signature complete, than I lose the logs that I might need for forensics.
Jan
