We have recently deployed an inline IPS solution using 5.1(7) E1 software. We would like to deny-attacker-victim-pair-inline for some signatures from one particular subnet on the network but negate the rest.
In order to correctly implement this, I think that we need to use SigEvent Action Filters on the sensor and use the commands <<actions-to-remove/deny-attacker-victim-pair-inline>> for all subnets accept the one that we wish to allow deny actions for.
I have seen that in the configuration on the sensor you can implement under the section <<service network-access>> a <<never-block-networks>> statement. My understanding is that this is used more for shunning rather then deny-inline solutions.
Am I correct about this?
Please could some one on the list validate that this is the best practice solution for negating deny-attackers inline.
create 2 event actions filters.
The first event action filter will match the signatures and subnets you want to deny on and don't subtract any actions. make sure you set it to "stop on match".
The next one will will match the same signatures but the 0.0.0.0-255.255.255.255 address. remove the appropriate actions.
The net result is that the first event action filter will apply when it matches and the second when it doesn't.