Restricting Access from IPS

Unanswered Question
Jul 18th, 2007
User Badges:


I have a server with external and internal IP address. I want to restrict the access to this server. I have 5 IP addresses that should have access to this server. Is there a way I can restrict the access from IPS or this can only be done with access-list on firewall.

Thanks for the help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mhellman Wed, 07/18/2007 - 13:11
User Badges:
  • Blue, 1500 points or more

You don't say what kind of host this is, but most newer OS's have host-based firewalls that can be used for this purpose.

If your sensor is inline, you could also create an atomic IP signature to block all access to this destination IP. Then create an event action filter that will remove the block action for those 5 source IP address.

dynacare1 Thu, 07/19/2007 - 06:46
User Badges:

Thanks for the reply. We have IPS 4240 and server is for client FTP.

I can create a signature to produce alert when there is any connectivity for the destination server ip address. From what I understand it will produce a alert for any activity for the server ip address. Now I don't see any option in Event Action which tells me to allow the connection because I will have 5 ip addresses in attacker list option, this way it will just allow the connection and if it doesn?t match attackers IP address it should block it.


mhellman Thu, 07/19/2007 - 06:59
User Badges:
  • Blue, 1500 points or more

I'm not exactly sure what you're asking, but here goes a better explaination:

I will assume your running at least version 5.x and that you are actually inline. each signature can have numerous actions. for example, you can "product alert" AND "deny connection inline". If you create just the signature (atomic ip, specify ip addr options->enter dst ip), all connections to that destination IP will be denied right, including the 5 source IP addresses you want to allow?

So the next step is to create an event action filter. for details please read:

an event action filter is used to SUBTRACT an action from an alarm. you want to remove the "deny connection inline" action from the alarm if the source ip is one of those 5. So you create an event action filter for that signature and for those 5 source IP addresses.

dynacare1 Thu, 07/26/2007 - 11:57
User Badges:

I created Custom Signature with Atomic IP but it's not working. Is there any other settings I will be checking. In the custom signature I only have destination IP address of FTP server.

Thanks for your help.


This Discussion