03-25-2009 04:17 AM - edited 03-10-2019 04:34 AM
Hi all
actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .
can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???
i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.
anyone face this issue ??
please advice.
regards
03-25-2009 07:38 AM
Hi Mohammed,
This requires a bit more information.
Are thee users based on the inside network and they are browsing the internet?
Can i ask which signatures the IPS is firing?
Thanks
Andy
03-25-2009 08:30 AM
Dear Andy
Thanks for your reply.
the users are in the inside network and they are browsing internet.
The signatures that is fired by the IPS is:
3002 TCP SYN Port sweep
3010 TCP High Port sweep
regards
Mohamed
03-25-2009 09:03 AM
Hi Mohammed,
Ok - and so what is the source address of the attacker? Is it the internal hosts? one host or many and where are they trying to scan?
Thanks
03-25-2009 09:20 AM
Dear Andy
The source addresses of the attackers is the internal users (10.3.40.x)and (10.3.50.x) and the victim is a real ip addresses which is unknown
this signature is fired for some internal users not all.
regards
03-25-2009 09:23 AM
Hi Mohammed,
Have you checked your PC's for Viruses?
They should not be scanning random IP Addresses like that?
Thanks
Andy
03-25-2009 09:30 AM
Dear Andy
i already told my customer to do that but the customer request is that the IPS appliance should deny the connection to these unknown real IPs but the IPS appliance deny the users totally where they cannot browse internet.
As i said before the signature action is "deny connection inline"
regrads
03-25-2009 09:35 AM
Hi Mohammed,
Ideally your customer needs to check his machines. The signature can be disabled purely for these hosts, but i wouldn't recommend that as it defeats the point of having the IPS in place.
He ideally needs to check his hosts for viruses :-)
Thanks
Andy
03-25-2009 09:48 AM
Andy
surely , the customer will do that.
My question is that if the signature action is "deny connection inline" , is that will deny the attacker totally or not???
regards
03-25-2009 09:51 AM
Hi Mohammed,
No, it will deny only the single connection from the host. But the host will then create a new connection and that will then be blocked (if it fires a signature rule). if the connection to the internet is legitimate this will not be blocked as it is a new connection.
To block the host completley this will be 'deny attacker inline'.
Thanks
Andy
03-25-2009 10:08 AM
Andy
I agree with you regarding that.
But although the signature action is "deny connection inline" , the internal user (attacker address) is totally denied.
Do you have any recommendations to know the reason for that??
regards
03-26-2009 01:48 AM
Hi Mohammed.
Right now I'm preparing the IPS Exam, and I have read some where that:
"deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.
You can tune the Signature to solve this issue, but this will not solve the main problem.
But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.
Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257
I hope this helpful.
Best regards
Reda
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: