So, while setting up IPS on the system, I want to *block* the usual badness including scanners, etc.
However, I have regular vulnerability scanning done by US DHS/CISA as part of their Cyber Hygeine program, and they scan regularly. As such, using scanner IPS rules will block them.
I want to define a set of IPS Signatures which will detect the traffic from CISA scanners and, accordingly, permit the packets. However, there are 675 IP addresses (when you expand the CIDR ranges from https://rules.ncats.cyber.dhs.gov/) and if I have to create individual IPS Signatures with "Allow Packet" rules, that will take an eon to do and be painful to address.
Leading to multiple questions:
- For custom IPS rules, can we use CIDR ranges in the srcaddr field for custom sigs?
- If not #1, can we have multiple srcaddr definitions in a single rule?
- If not #1 or #2, is there an API or scriptable interface for XG that I can use to *add* these signatures programmatically in mass?
This thread was automatically locked due to age.
