Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 2 subscribers
  • Views 5278 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS logs growing growing growing... can't stop it.

SalishSwede
I'm  attempting to stop the following rule from filling my IPS logs.

"id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="reject" reason="PROTOCOL-ICMP Unusual PING detected" group="410" srcip="10.1.0.7" dstip="10.1.1.2" proto="1" srcport="0" dstport="0" sid="29456" class="Information Leak" priority="2" generator="1" msgid="0" "

I need this traffic stopped but I don't want to see 400,000 iterations of the alert every single day.

My process:
1. In Network Protection > Intrusion Prevention > Advanced > Modify Rules I have added a modification for 29456 to disable notification and to drop.

Can someone please show me the error of my ways?

Thanks,

~D


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BarryG
    The endless battle continues...

    I've done three things:
    1) I turned off all ICMP functionality under Network Protection\Firewall\ICMP
    2) I created a custom rule that blocks all ICMP protocol traffic from this ip address.
    3) Completely disabling the IPS rule. 

    Result: 
    1)  Firewall still filling with  ICMP alerts from 10.1.0.7
    2)  IPS log has stopped alerting on strange ICMP traffic.

    The rule is set as follows:
    Source = 10.1.0.7
    Services: a group containing all ICMP svs including pings.
    Destination: Any
    Action: Drop
    Log Traffic: not checked


    2014:03:12-15:23:36 ravenna ulogd[4794]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="4c:82:cf:2:20:1f" dstmac="0:c:29:f2:87:19" srcip="10.1.0.7" dstip="10.1.1.2" proto="1" length="84" tos="0x00" prec="0x00" ttl="64" type="8" code="0"  
    2014:03:12-15:23:39 ravenna ulogd[4794]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="4c:82:cf:2:20:1f" dstmac="0:c:29:f2:87:19" srcip="10.1.0.7" dstip="10.1.1.2" proto="1" length="84" tos="0x00" prec="0x00" ttl="64" type="8" code="0"
    This is beyond irritating.

    The only thing left is to ALLOW all ICMP traffic but that defeats the firewall itself.
  • 0 in reply to SalishSwede
    2014:04:19-00:05:01 efw1-1 snort[18999]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="" reason="(smtp) Attempted command buffer overflow: more than 512 chars" srcip="199.59.150.80" dstip="192.168.1.11" proto="6" srcport="10045" dstport="25" sid="1" class="Attempted Administrator Privilege Gain" priority="1"  generator="124" msgid="1"
    2014:04:19-00:05:43 efw1-1 snort[18999]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="" reason="(smtp) Attempted command buffer overflow: more than 512 chars" srcip="209.85.217.196" dstip="192.168.1.11" proto="6" srcport="47394" dstport="25" sid="1" class="Attempted Administrator Privilege Gain" priority="1"  generator="124" msgid="1"