Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 28 subscribers
  • Views 326 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Custom IPS Signatures: Proper Syntax/Capabilities/Usage Question

Thomas Ward

So, while setting up IPS on the system, I want to *block* the usual badness including scanners, etc.

However, I have regular vulnerability scanning done by US DHS/CISA as part of their Cyber Hygeine program, and they scan regularly.  As such, using scanner IPS rules will block them.

I want to define a set of IPS Signatures which will detect the traffic from CISA scanners and, accordingly, permit the packets.  However, there are 675 IP addresses (when you expand the CIDR ranges from https://rules.ncats.cyber.dhs.gov/) and if I have to create individual IPS Signatures with "Allow Packet" rules, that will take an eon to do and be painful to address.

Leading to multiple questions:

  1. For custom IPS rules, can we use CIDR ranges in the srcaddr field for custom sigs?
  2. If not #1, can we have multiple srcaddr definitions in a single rule?
  3. If not #1 or #2, is there an API or scriptable interface for XG that I can use to *add* these signatures programmatically in mass?


This thread was automatically locked due to age.
  • 0

    Blocking should be done by the firewall, not IPS. 

    __________________________________________________________________________________________________________________

  • 0

    A firewall rule at the top of your firewall list without IPS enabled. You would need to create FQDN and an FQDN group to ensure you only allow your test sites access to the rule. Make sure you have DDOS settings disabled.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML