This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS just monitoring and bloc only some signatures.

Hi,
I would like to configure my IPS on the Sophos UTM 9.2 like this.
I would like to monitor the traffic with the IPS but no blocking.
But for some signatures for example hear bleed CVE-2014-0160, I would like to block traffic which matches with the signature of CVE-2014-0160.

Is it possible to configure the UTM like this? I couldn't manage this so far.
Or is there a good resource to learn more about this?

This thread was automatically locked due to age.

Parents

0 FrankBarmentlo over 11 years ago

set all rules "Action" to "Alert" and check "notify".
all attacks will be logged now, but not blocked,

all you have to do is find the "sid" from the rules matching what you want to block.
if you have it go to the tab "Advanced" in the IPS-settings, and add it under "Modified rules".

you can change the setting to "drop" per sid here.

I found some posts on the snort-website pointing to rules.. i am not sure if they are the same for Astaro/Sophos UTM too..
link1
link 2
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 FrankBarmentlo over 11 years ago

set all rules "Action" to "Alert" and check "notify".
all attacks will be logged now, but not blocked,

all you have to do is find the "sid" from the rules matching what you want to block.
if you have it go to the tab "Advanced" in the IPS-settings, and add it under "Modified rules".

you can change the setting to "drop" per sid here.

I found some posts on the snort-website pointing to rules.. i am not sure if they are the same for Astaro/Sophos UTM too..
link1
link 2
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data