AIP SSM-10 policy help

muellertobias · ‎09-09-2008

I am modifying one of the policies on the IPS on my 5520 that I just setup.

What I want to do is remove the false negatives coming from the DMZ with signature 3030 (TCP SYN Host Sweep)

I want to filter out the IP range of 192.168.168.0/24 but I can't make it to accept it.

What do I need to put in the line src-addr-filter to do this? thanks.

rmeans · ‎09-10-2008

You should be able to go to event action rules.

add a rule.

include the sig ID 3030.

I typically leave the sub sig to the default (0-255).

the source will be your DMZ network (192.168.168.0-192.168.168.255)

The destination will probably be the default (0.0.0.0-255.255.255.255)

The next key change will be the actions to subtract. You will want to subtract produce alert (the default action for 3030). Most of the time I subtract all actions. That way if I change a signature later I won't have a unexpected result. For example say you start blocking attackers that do a TCP SYN sweep (3030). If you only subtract product alerts, then you might start blocking you DMZ hosts and but not produce any alerts.

Lastly, you may want to tune sig 3030. 15 unique SYN packets in 60 seconds is pretty low. I have a sensor set to 30 in 5 seconds.

muellertobias · ‎09-10-2008

thanks, so I went into Event Action Rules, rules0, created a new EVENT ACTION FILTER and followed your instructions to filter out SIGID 3030 when triggered by IP 192.168.168.0/24 (see attached picture)

looks ok?