This event (NR-4055/2) shows up in CS-MARS from one of our ASA-SSM machines several times every day. It's always on UDP port 4500, which is used with IPSec. IntelliShield also confirms that this is probably benign, so I'm not too worried. Now, I know I can create a filter in MARS to drop the events that come in on that port, but what I would really like to do is tweak the IPS signature.
So first, is this even advisable?
And second (I'd still like to know the answer to this even if the first answer is 'no'), I can't seem to find if it is really possible to modify the signatures in a useful way or not. I've gone into the IPS Manager Express and found the signature, but it doesn't seem to have any useful ways to modify it. For instance, the engine says it's a "Trojan UDP", but it doesn't really show what that means. Is it possible to dig deeper and find exactly what this signature is looking for?
I've been trying to track down more information on all this, but I haven't found quite what I'm looking for. So forgive me if this can be found somewhere. Also, I'm still pretty new to all this, so I may not entirely understand how these things work together and what I should be able to do! So thanks for any help in advance!
Any of the log packet actions WILL force an alert to be created even when product alert is not an action or produce alert was removed by a filter.
In addition the request-snmp-trap, and produce-verbose-alert actions will also force an alert to be produced.
So when creating filters to prevent an alert from being created you need to set actions to subtract to at a minimum be produce-alert, produce-verbose-alert, request-snmp-trap, and all log packet actions.
The deny actions, block actions, and reset actions can all happen without an alert, and so will not force an alert.
BO2K is a traffic analysis signature. As such, it is hardcoded and doesn't really have any parameters in the signature defintion (other than actions/events). Its most common false positive is encrypted traffic that happens to randomly match the multi-packet pattern. It is generally rare, but proves the fact that "one in a million can happen when you have billions"
Back Orfice which then became Bo2k, used to be one of the cool toys 'people' used to play with when I was in high school :). It has now become a 'white collar' remote administration tool like VNC or Symantec PCAnywhere. It is always recommended to tune signatures on the 'reporting device' than MARS itself. Just go to Event Action Filters on your IPS and make an exception for this signature. Use the Source/Dest IP/Ports as you see in the alert, and subtract the 'Product Alert' action.
We also see similar false positives for this signature.