cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
903
Views
0
Helpful
11
Replies

customizing signatures question on AIP-SSM

mohamed_makled
Level 1
Level 1

Hi all

actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .

can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???

i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.

anyone face this issue ??

please advice.

regards

11 Replies 11

andrew100
Level 1
Level 1

Hi Mohammed,

This requires a bit more information.

Are thee users based on the inside network and they are browsing the internet?

Can i ask which signatures the IPS is firing?

Thanks

Andy

Dear Andy

Thanks for your reply.

the users are in the inside network and they are browsing internet.

The signatures that is fired by the IPS is:

3002 TCP SYN Port sweep

3010 TCP High Port sweep

regards

Mohamed

Hi Mohammed,

Ok - and so what is the source address of the attacker? Is it the internal hosts? one host or many and where are they trying to scan?

Thanks

Dear Andy

The source addresses of the attackers is the internal users (10.3.40.x)and (10.3.50.x) and the victim is a real ip addresses which is unknown

this signature is fired for some internal users not all.

regards

Hi Mohammed,

Have you checked your PC's for Viruses?

They should not be scanning random IP Addresses like that?

Thanks

Andy

Dear Andy

i already told my customer to do that but the customer request is that the IPS appliance should deny the connection to these unknown real IPs but the IPS appliance deny the users totally where they cannot browse internet.

As i said before the signature action is "deny connection inline"

regrads

Hi Mohammed,

Ideally your customer needs to check his machines. The signature can be disabled purely for these hosts, but i wouldn't recommend that as it defeats the point of having the IPS in place.

He ideally needs to check his hosts for viruses :-)

Thanks

Andy

Andy

surely , the customer will do that.

My question is that if the signature action is "deny connection inline" , is that will deny the attacker totally or not???

regards

Hi Mohammed,

No, it will deny only the single connection from the host. But the host will then create a new connection and that will then be blocked (if it fires a signature rule). if the connection to the internet is legitimate this will not be blocked as it is a new connection.

To block the host completley this will be 'deny attacker inline'.

Thanks

Andy

Andy

I agree with you regarding that.

But although the signature action is "deny connection inline" , the internal user (attacker address) is totally denied.

Do you have any recommendations to know the reason for that??

regards

Hi Mohammed.

Right now I'm preparing the IPS Exam, and I have read some where that:

"deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.

You can tune the Signature to solve this issue, but this will not solve the main problem.

But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.

Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:

http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257

I hope this helpful.

Best regards

Reda

j.reda7@gmail.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: