CSA 5.2 filter all alerts from a specific IP address.

Unanswered Question
Apr 25th, 2009
User Badges:

We have over 100 networks, with 1 to 2 servers with CSA 5.2 on them in each network. We stagger vulnerability scans on each network quarterly. Is there a way, to remove or filter the alerts for the IP address that scans these networks?

I've attempted to create a Network Access Control rule, inside a rule module, associated to a policy, associated to a group with all CSA servers included. I have also attempted to add that policy to all of the policies that are enforced on our agents. Neither of these sollutions worked.

Any suggestions would be greatly appreciated. Thank you in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsteger1 Mon, 04/27/2009 - 16:00
User Badges:
  • Red, 2250 points or more

Add your IPs to the built in Network Address variable "Authorized Port Scanners" and it should allow scanning from those IPs.

By default it only has as an authorized scanner address.


craig.lepchenske Wed, 04/29/2009 - 22:44
User Badges:

Thanks for replying Tom. I have the IP address of my scanner in that variable, but it seems to only work for network shield rules. The majority of the servers we have CSA on are IIS/Apache servers. So rules in the Common Web Server Security Module [W] still fire.

I've been banging my head against the wall on this, and I'm not sure it can even be done with CSA. Considering the rules that still fire do not seem to track the source IP address, I think I'm expecting the impossible.

tsteger1 Thu, 04/30/2009 - 14:56
User Badges:
  • Red, 2250 points or more

Which rules are firing?


This Discussion