Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 4302 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attempting to block IP generating portscan and intrusion alerts

mrainey
ASG 220 with 7.201.
A particular IP address has been generating a lot of port scan and intrusion alerts (Message........: WEB-IIS iisadmin access)
It's filling up my inbox so I thought I would just drop all packets from that IP with a pf rule (Source the ip, service, any, destination, internal network) but I am still getting periodic floods of alerts.

Whats the best approach to these issues anyway?


This thread was automatically locked due to age.
  • 0
    Did you put that rule above any related ALLOW rules?

    You don't have the http proxy allowing outside traffic in, do you?

    Barry
  • 0 in reply to BarryG
    Did you put that rule above any related ALLOW rules?

    You don't have the http proxy allowing outside traffic in, do you?

    Barry

    I moved the drop rule to the top. Not sure what you mean about the http proxy. Under web security, http, global, allowed networks has only internal subnets.
  • 0 in reply to mrainey
    Sounds good.

    Are the alerts gone now?

    Portscans might still show up as they could be detected even if you don't allow the traffic through the fw.
    Other IPS alerts should go away, I believe.

    Barry
  • 0 in reply to BarryG
    Yes, the IPS alerts have gone away. I am used to seeing port scans from China, Belgium and places like that. THis one was from the USA and I just found out it was from a legit security company hired to do penetration testing unbeknown to me.