Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
0
Helpful
2
Replies

SSM-IPS 6.03E1 unwanted blocking

Go to solution
fashour
Level 1
Level 1

‎12-22-2008 12:49 PM - edited ‎03-10-2019 04:25 AM

Hi all,

I am doing some testing in the lab and came accross something that is interesting to me:

I enabled sigs 2000 and 2004 to test that the ips is inspecting the traffic and checked the action for those 2 sigs as producealert only. That worked well with informational alert sev. However, when raisng the sev to high the IPS starts blocking the icmp packets even though the action on the signature is only produce alert. Why is the IPS blocking such traffic? Am I missing something here. As always, help is appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎12-22-2008 01:58 PM

There is a default event-action-override for deny-packet-inline that gets added to all events with a Risk Rating of 90 or higher.

When running setup on the sensor, one of the last questions is "Modify default threat prevention settings?[no]".

If you answer "no" then the default remains active. Your 2000, and 2004 signatures will generate Risk Rating higher than 90 if you change the severity to high, and so will be automatically denied.

If you answer "yes" then you are provided to option to disable these default settings.

To see this setup option refer to step 20 of this section:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_initializing.html#wp1072155

To learn more about event action overrides refer to:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_event_action_rules.html#wp1085984

View solution in original post

0 Helpful
2 Replies 2

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎12-22-2008 01:58 PM

There is a default event-action-override for deny-packet-inline that gets added to all events with a Risk Rating of 90 or higher.

When running setup on the sensor, one of the last questions is "Modify default threat prevention settings?[no]".

If you answer "no" then the default remains active. Your 2000, and 2004 signatures will generate Risk Rating higher than 90 if you change the severity to high, and so will be automatically denied.

If you answer "yes" then you are provided to option to disable these default settings.

To see this setup option refer to step 20 of this section:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_initializing.html#wp1072155

To learn more about event action overrides refer to:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/cli/cli_event_action_rules.html#wp1085984

0 Helpful

Go to solution
fashour
Level 1
Level 1
In response to marcabal

‎12-22-2008 02:01 PM

Thank you. That's what I wanted to hear.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card