Configuration of SSM

Unanswered Question
Sep 30th, 2009

I have an ASA with the SSM IPS module in it. I must be doing something wrong because all of my events are showing my internal addresses as attackers and the external addresses as the victims. We do have citrix servers that we use and so I am getting a lot of tcp syn scans coming from those boxes (which makes sense). I guess my question is there something like the HOME network on snort where you can essentially say ignore my internal addresses as attackers? I know that is a little extreme in configuration but I just need to make sure I haven't misconfigured something here. Any help would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
rhermes Thu, 10/01/2009 - 13:57

Don't worry, you have not misconfigured anything, this is normal. The attackers and victims are assigned based on teh signature. If you feel the attack really is in the incomming direction (as opposed to it being a false positive), you can swap attacker and victim IP in the signature settings on a sig by sig basis.

Otherwise you can write an Event Action Filter that could prevent alerting on internal hosts being the attackers, but this needs to be done carefully so you don't ignore bad hosts in your network.


This Discussion