Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 16612 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Identifying IPS signatures being hit

MattLinzbach

Here are some logs of IPS signatures being blocked or detected.  I'd like to allow them.

How is one supposed to find which sigature is actually being tripped?  

Date / Time Signatures Drop username LocalIP :TCP(54850) RemoteIP :TCP(8080) 20
Date / Time Signatures Drop - LocalIP :GRE(0) RemoteIP :GRE(0) 293
Date / Time Signatures Detect username RemoteIP :TCP(8080) LocalIP :TCP(50775) 1060130022
Date / Time Signatures Detect username RemoteIP :TCP(8080) LocalIP :TCP(50764) 1120625011


I build a new rule modeling it off the LAN to WAN.  I can't search for 20, 8080, GRE, 293, 1060130022 nor 1120625011 and get a hit that makes sense.  GRE returns vaules such as Greetings or Postgresql.  293 returns nothing.  20 has 900+ results dealing with CVEs, 1060130022 nothing, etc.

Outside of turning off IPS how is one supposed to tune this?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    To check and rectify the large number of IPS attacks on the XG appliance, verify which Signatures are Dropped from IPS logs and which IPS Policy is applied in the Firewall Rule acting for the specified VLAN services? 

    Next, you can navigate to the IPS settings from the following path:

    • Objects
    • Policies
    • Intrusion Prevention

    Click on the Selected IPS Policy.

    Here, you can Allow the dropped Signatures. If you are using a default policy then you can create a new IPS Policy to allow the dropped Signature.

  • 0 in reply to sachingurung

    The root of the question was ignored, where do we go to get the data, and how can we review the data to determine what signature is to be Allowed.

     

    I have a similar situation, and am struggling to identify the signature.

     

    In my case I have a packet capture showing the drop and the Firewall rule due to IPS.

    I have no good information that seems to correlate to the drop in the IPS.log file.

    How can I troubleshoot this to determine the signature causing the drop?

Reply
  • 0 in reply to sachingurung

    The root of the question was ignored, where do we go to get the data, and how can we review the data to determine what signature is to be Allowed.

     

    I have a similar situation, and am struggling to identify the signature.

     

    In my case I have a packet capture showing the drop and the Firewall rule due to IPS.

    I have no good information that seems to correlate to the drop in the IPS.log file.

    How can I troubleshoot this to determine the signature causing the drop?

Children
No Data