AIP-SSM reconnaissance question

Unanswered Question
Mar 12th, 2010

Hi,


I am doing some NMAP regular recoinnassance tests through our ASA w/IPS.  These tests are unfortunately going through the IPS even after enabling drop on signatures 3002, 2157, and 4003.  Wireshark applications show that NMAP uses tcp as opposed to UDP specified on signature 4003.


Please assist.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bnidacoc Wed, 03/17/2010 - 12:23

Mark,


Have you modified the ASA's ACLs to allow all ports?  Some organization's AC policies allow only minimal access, and the ASA's ACLs might be denying the traffic before it can even be analyzed by the IPS.

marcusbrutus Thu, 03/18/2010 - 11:54

Hi,


No ACL dropping packets.  With the IPS on in fail-open, nmap scans still go through.


Please advise.

Jennifer Halim Thu, 03/18/2010 - 21:46

Is the IPS configured in promiscuous or inline mode?

What is the event action for the signature# that matches the NMAP traffic?

Actions

This Discussion