Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
3
Helpful
1
Replies

Configuration of SSM

joandersen
Level 1
Level 1

‎09-30-2009 06:51 PM - edited ‎03-10-2019 04:46 AM

I have an ASA with the SSM IPS module in it. I must be doing something wrong because all of my events are showing my internal addresses as attackers and the external addresses as the victims. We do have citrix servers that we use and so I am getting a lot of tcp syn scans coming from those boxes (which makes sense). I guess my question is there something like the HOME network on snort where you can essentially say ignore my internal addresses as attackers? I know that is a little extreme in configuration but I just need to make sure I haven't misconfigured something here. Any help would be greatly appreciated.

Labels:
0 Helpful
1 Reply 1

rhermes
Level 7
Level 7

‎10-01-2009 01:57 PM

Don't worry, you have not misconfigured anything, this is normal. The attackers and victims are assigned based on teh signature. If you feel the attack really is in the incomming direction (as opposed to it being a false positive), you can swap attacker and victim IP in the signature settings on a sig by sig basis.

Otherwise you can write an Event Action Filter that could prevent alerting on internal hosts being the attackers, but this needs to be done carefully so you don't ignore bad hosts in your network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card