Combine IDS/IPS Policy to Drop All but Allow Certain IP with given ID

Answered Question
Apr 10th, 2009

Is it possible, for example, to allow SQL inject testing for our web app scanner and at the same time deny all others, to create a custom rule for just that particular sig?

This would allow us to really ratchet down our systems utilizing the web app scanner, but at the same time max-protect for all other potential attackers.

TIA

I have this problem too.
0 votes
Correct Answer by roshan.maskey about 7 years 9 months ago

Hi,

It is possible for your IP from being denied or producing alert while other IPs will follow your normal rules.

For that please follow the following procedure.

1. Goto-IDM-EventActionRules-Rule0

2. Click on tab EventActionFilter (third tab)

3. Click Add and set the following information:

a. SigID: Specify your particular or leave default

b. SubSigID: your sigID or leave default

c. AttackerAddress: your Computer IP

d. AtaackerPort: leave default

e. Victim Address: Your Server IP or leave default

f. VictimPort: leave default

g. RiskRating leave default

h. Action to Subtract: Select the Signature You don't want to fire or can select all.

[press and hold and click for multiple select Signature]

Reset leave default.

4. Click Ok

5. Click Apply

Doing this your ip will not produce alter while doing your PenTest.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
roshan.maskey Fri, 04/10/2009 - 18:22

Hi,

It is possible for your IP from being denied or producing alert while other IPs will follow your normal rules.

For that please follow the following procedure.

1. Goto-IDM-EventActionRules-Rule0

2. Click on tab EventActionFilter (third tab)

3. Click Add and set the following information:

a. SigID: Specify your particular or leave default

b. SubSigID: your sigID or leave default

c. AttackerAddress: your Computer IP

d. AtaackerPort: leave default

e. Victim Address: Your Server IP or leave default

f. VictimPort: leave default

g. RiskRating leave default

h. Action to Subtract: Select the Signature You don't want to fire or can select all.

[press and hold and click for multiple select Signature]

Reset leave default.

4. Click Ok

5. Click Apply

Doing this your ip will not produce alter while doing your PenTest.

Actions

This Discussion