Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 16615 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Identifying IPS signatures being hit

MattLinzbach

Here are some logs of IPS signatures being blocked or detected.  I'd like to allow them.

How is one supposed to find which sigature is actually being tripped?  

Date / Time Signatures Drop username LocalIP :TCP(54850) RemoteIP :TCP(8080) 20
Date / Time Signatures Drop - LocalIP :GRE(0) RemoteIP :GRE(0) 293
Date / Time Signatures Detect username RemoteIP :TCP(8080) LocalIP :TCP(50775) 1060130022
Date / Time Signatures Detect username RemoteIP :TCP(8080) LocalIP :TCP(50764) 1120625011


I build a new rule modeling it off the LAN to WAN.  I can't search for 20, 8080, GRE, 293, 1060130022 nor 1120625011 and get a hit that makes sense.  GRE returns vaules such as Greetings or Postgresql.  293 returns nothing.  20 has 900+ results dealing with CVEs, 1060130022 nothing, etc.

Outside of turning off IPS how is one supposed to tune this?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    To check and rectify the large number of IPS attacks on the XG appliance, verify which Signatures are Dropped from IPS logs and which IPS Policy is applied in the Firewall Rule acting for the specified VLAN services? 

    Next, you can navigate to the IPS settings from the following path:

    • Objects
    • Policies
    • Intrusion Prevention

    Click on the Selected IPS Policy.

    Here, you can Allow the dropped Signatures. If you are using a default policy then you can create a new IPS Policy to allow the dropped Signature.

  • 0 in reply to sachingurung

    Just a little clarification: if I using a default policy like (General Policy) and I add a IPS Policy Rule with Allow the dropped Signature and that it will be on the top, is it OK ?

    Wich the advantages to do not use the default policy with just one exception and to create a new one IPS Policy like the default but with the exception inside ?

  • 0 in reply to SOS2000

    Yes, any firewall rule positioned on the TOP will take the priority in the IP tables and filtering. A separate IPS policy with exceptions defined will be all that you need.

    Cheers

  • 0 in reply to sachingurung

    Sorry Sachin a last doubt.

    So in the separate IPS policy there should be only the IPS policy rules with the exceptions and not also a copy of the general policy ?

    I mean a new policy with only one rule (the exception)  without all that are "recommended" inside the "general policy" ?

    I would like all the reccommended rules of the "General Policy"  and the exception.

    Currently works the "General Policy" with 2 rules: one the default and on the topo just the exclusion. Is it the same ?

Reply
  • 0 in reply to sachingurung

    Sorry Sachin a last doubt.

    So in the separate IPS policy there should be only the IPS policy rules with the exceptions and not also a copy of the general policy ?

    I mean a new policy with only one rule (the exception)  without all that are "recommended" inside the "general policy" ?

    I would like all the reccommended rules of the "General Policy"  and the exception.

    Currently works the "General Policy" with 2 rules: one the default and on the topo just the exclusion. Is it the same ?

Children
No Data