Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
2
Replies

Combine IDS/IPS Policy to Drop All but Allow Certain IP with given ID

Go to solution
nreis_srn
Level 1
Level 1

‎04-10-2009 07:03 AM - edited ‎03-10-2019 04:35 AM

Is it possible, for example, to allow SQL inject testing for our web app scanner and at the same time deny all others, to create a custom rule for just that particular sig?

This would allow us to really ratchet down our systems utilizing the web app scanner, but at the same time max-protect for all other potential attackers.

TIA

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
roshan.maskey
Level 1
Level 1

‎04-10-2009 06:22 PM

Hi,

It is possible for your IP from being denied or producing alert while other IPs will follow your normal rules.

For that please follow the following procedure.

1. Goto-IDM-EventActionRules-Rule0

2. Click on tab EventActionFilter (third tab)

3. Click Add and set the following information:

a. SigID: Specify your particular or leave default

b. SubSigID: your sigID or leave default

c. AttackerAddress: your Computer IP

d. AtaackerPort: leave default

e. Victim Address: Your Server IP or leave default

f. VictimPort: leave default

g. RiskRating leave default

h. Action to Subtract: Select the Signature You don't want to fire or can select all.

[press and hold and click for multiple select Signature]

Reset leave default.

4. Click Ok

5. Click Apply

Doing this your ip will not produce alter while doing your PenTest.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
roshan.maskey
Level 1
Level 1

‎04-10-2009 06:22 PM

Hi,

It is possible for your IP from being denied or producing alert while other IPs will follow your normal rules.

For that please follow the following procedure.

1. Goto-IDM-EventActionRules-Rule0

2. Click on tab EventActionFilter (third tab)

3. Click Add and set the following information:

a. SigID: Specify your particular or leave default

b. SubSigID: your sigID or leave default

c. AttackerAddress: your Computer IP

d. AtaackerPort: leave default

e. Victim Address: Your Server IP or leave default

f. VictimPort: leave default

g. RiskRating leave default

h. Action to Subtract: Select the Signature You don't want to fire or can select all.

[press and hold and click for multiple select Signature]

Reset leave default.

4. Click Ok

5. Click Apply

Doing this your ip will not produce alter while doing your PenTest.

0 Helpful

Go to solution
nreis_srn
Level 1
Level 1
In response to roshan.maskey

‎04-13-2009 07:25 AM

Thank you kindly

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card