To override a signature for a particular IP Address range in IPS

Unanswered Question
Jun 17th, 2008

Hi team

We have one of the customers having Cisco IPS in Inline VLAN Pairing mode , version IPS 4240 , 5.1(5) .The issue is that they are having a website which was accessible from their LAN few days back (with and without proxy) .The users use to type this URL in browser on HTTP port , after which internally it gets redirected to HTTPS port .After the IPS became inline , the URL is inaccessible .The current bypass setting in the IPS is "Auto".I have chnaged the bypass mode to "On" (not to inspect traffic) so as to confirm if IPS is only blcoking the traffic . Once i changed , i found the URL started working . My concern is iam unable to find out that particular signature which is triggering this as may be the logging / produce alert action is not enabled for the same

I have done following to make the URL work

1) Created a even action filter from the source( to the destination ( subtracted all "deny " actions

2) Created a even action filter from the source ( the destination ( subtracted all "deny " actions

The above combination didnt worked , so i disabled the above rule and then i created a new custom signature 60002 with the engine as "Atomic IP "

A) Gave the action for all produce alert / log alert / SNMP for the source ( to destination ( however this also didnt worked

Note the IP Address of is and sometimes we see in the nestat output too

I believe the "Event action filters " in IPS should have worked in this case ; howeevr it is not working .Please let me know how to do correct configuration and also how to find out as to with which signature it is triggering

As of now i have disabled all the Deny packet inline / attacker / victim / TCP Reset / modify packet type of signatures and the URL is WORKING NOW .....however i believe thats not a solution .Please help in this regard


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Tue, 06/17/2008 - 18:31

First go to Signatures >> Miscellaneous and very that AIC HTTP is disabled.

Secondly you can log packets sourced/destined to in the Monitoring >> IP Logging area. This will give you a good idea of what traffic is passing.

Thirdly you are most probably hitting one of the TCP normalizer engines. Firstly go to SIgnatures Select all signatures in IPS and hit 'Restore Defaults'.

Then add the 'Product Alert' action on all signatures, some signatures have no action by default. Once you find out which signature is actually triggering based on Monitor >> Events , you can than restore the default setting as some signatures are meant to have 'no actions' as they are part of Meta Signatures.



ankurs2008 Wed, 06/18/2008 - 06:59

Hi happs

Thanks for your quick response

1) i have ensured that the signaturee type AIC HTTP is disabled.

2)Please let me know how to enable logging in theway you have mentioend above as you have specified source and destination field to be mentioned in the Monitoring -> events tab however i dint find any (find snapshot) where i can spcify source or destination .

Please let me know as to what is the exact reason as to why the Event action filters ddint worked as they shud have defintely over-rided all the signature actions if i specify to subtract alerts (for all signatures related to deny actions) for to any and vice-versa



Farrukh Haroon Wed, 06/18/2008 - 09:04

I meant the same screen. By source and destination I meant add two separate log entries. One using the Source IP, the other using the Destination IP (as the source). So that both flows are covered.



ankurs2008 Wed, 06/18/2008 - 23:37

Hi happs

Thanks for the update . i will do the same and update you .However i have a query that even if i find out the exact signature and disable the same it will get disabled universally ; therefore even if a real intrusion is happening due to some other IP which is illegitmate and this signature (which i wil be blocking currently)should have blocked , it will not do that because i would have disabled the signature by then.

Also if tomorrow some more websites come triggering due to some different signature and gets blocked , again i will be disabling the signature universally.In this way

1) iam allowing the intruder to get in and making the devices vulnerable to attack

2) iam not using the "even action filter " feature

Please help me in the same



Farrukh Haroon Wed, 06/18/2008 - 23:44

No the idea is not to disable the signature. The reason why I wanted you to locate the specific block/deny was to make it easier to fix it. I would still recommend to use the Event Action Filters only to exclude the host and not disable the signature altogether.

That said, there are some signatures that "according to the documentation" cannot be excluded using event actions like Sweep signatures. These signatures have a field for Source/Dest IP built-in to exclude specific hosts. HOwever to be honest I could get event actions to work perfectly with event actions on our customers ;), so it could be an old restriction still mentioned in the docs.

Lastly, you only disable a signature when you are absolutely sure that you are not running the Software/Application/Service on your network. For example on one customer we would frequently get VPN 3000 COnc. HTTP attack signatures fired for internet traffic, and since there is no chance to add any VPN3k on this network (its already End of Sale), I disabled this signature.




This Discussion